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§1. Ciphering 

1.1. INTRODUCTION, CRYPTOGRAPHIC TASKS 

There is no doubt that electronic communications have become one of the main 
pillars of the modern society and their ongoing boom requires the development of 
new methods and techniques to secure data transmission and data storage. This 
is the goal of cryptography. Etymologically derived from Greek npvKToq, hidden 
or secret, and "{poopr}, writing, cryptography may generally be defined as the art 
of writing (encryption) and deciphering (decryption) messages in code in order to 
ensure their confidentiality, authenticity, integrity and non-repudiation. Cryptog- 
raphy and cryptanalysis, the art of codebreaking, together constitute cryptology 
(A070T, a word). 

Nowadays many paper-based communications have already been replaced by elec- 
tronic means, raising the challenge to find electronic counterparts to stamps, seals 
and hand- written signatures. The growing variety of applications brings many tasks 
that must be solved. Let us name a few. The fundamental task of cryptography 
is to allow two users to render their communications unintelligible to any third 
party, while for the two legitimate users the messages remain intelligible. The goal 
of identification is to verify the identities of the communicating parties. Another 
cryptographic task is secret sharing: A secret, e.g., a password, is split into several 
pieces in such a way that when a certain minimal subset of the pieces is put to- 
gether, the secret is recovered. Other cryptographic applications are, for example, 
digital signatures, authentication of messages, zero-knowledge proofs, and so on. 

At all times people have wished to have the possibility to communicate in se- 
crecy so as to allow nobody to overhear their messages. Archeological excavations 
have revealed that various types of cryptography had already been used by ancient 
civilizations in Mesopotamia, India, or China (Kahn [1967]). Four thousand years 
ago, ancient Egyptians used modified hieroglyphs to conceal their messages. In the 
Iliad, Homer depicts how Proetus, the king of Argolis, sends Bellerophon to Lycia 
with "a lethal message, coded symbols inscribed on a folded tablet" (Homer [8 th c. 
B.C.]). 

In the 5 th century BC, the Spartans in Greece designed the Skytale cryptodevice, 
based on transposition of letters (Old Spartan Facts). A stripe of parchment or 
leather was wound around a wooden baton, across which the message was written. 
When the end of line was reached, the baton was rotated. After the parchment 
was unwrapped, the letters looked scrambled and only the person who possessed a 
baton of an identical shape could recover the message. 

Another favorite and easy cipher is the substitution cipher, which substitutes 
each letter of a message with another letter, number or a symbol. An example is 
the Caesar cipher (Stinson [1995]). To communicate between the Roman legions 
scattered over the Roman republic, Gaius Julius Caesar used a cipher, where each 
letter of a message was advanced by three letters in the alphabet; A was replaced 
by D, B was replaced by E, C by F, and so on. Similar substitution cipher is also 
described in Kama Sutra. 

During the Middle Ages, most cryptosystems were based on transposition or 
substitution or a combination of both (Leary [1996]). However, neither of these 
ciphers is secure, because it is possible to break them exploiting various character- 
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istic properties of the language, such as the frequency of individual letters and their 
clusters. 

The invention of the telegraph in the 1830s enormously facilitated communica- 
tions between people. This ancestor of modern communications, however, had a 
serious drawback from the cryptographic point of view - the content of the trans- 
mitted message was known to the telegraph operator. As a consequence, various 
codebooks were designed by people and companies that wanted to keep their com- 
munications private. The codebooks translated significant words and phrases into 
short, nonsensical words. The codes served two purposes: first, they reduced the 
size of the message and thus decreased the costs because telegrams were charged 
per transmitted character; and second, if the codebook was kept secret, the codes 
became a cipher. 

The two world wars of the 20 th century accelerated the development of new 
cryptographic techniques. Cryptographers tried to design a system where the en- 
cryption and decryption algorithms could be publicly known, but the secrecy of the 
message would be guaranteed by some secret information, the cryptographic key, 
shared between the users. In 1917, Gilbert S. Vernam proposed an unbreakable 
cryptosystem, hence called the Vernam cipher or One-time Pad (Vernam [1926]). 
Its unconditional security has been proved by Claude E. Shannon (in terms of in- 
formation theory) in 1949 (Shannon [1949]). The One-time Pad is a special case 
of the substitution cipher, where each letter is advanced by a random number of 
positions in the alphabet. These random numbers then form the cryptographic key 
that must be shared between the sender and the recipient. Even though the Vernam 
cipher offers unconditional security against adversaries possessing unlimited com- 
putational power and technological abilities, it faces the problem of how to securely 
distribute the key. That is why it did not become widespread as Vernam had hoped. 
On the other hand, there are many military and diplomatic applications, where the 
security of communications outweighs the severe key management problems. The 
Vernam cipher was used by the infamous spies Theodore A. Hall, Klaus Fuchs, the 
Rosenbergs and others, who were passing atomic secrets to Moscow. Che Guevara 
also encrypted his messages to Fidel Castro by means of the One-time Pad. It was 
employed in securing the hot line between Washington and Moscow and it is said 
to be used for communications between nuclear submarines and for some embassy 
communications. We will come back to the Vernam cipher later on, as it is this 
cipher that is very expedient for quantum key distribution. 

In 1918, Arthur Scherbius invented an ingenious electric cipher machine, called 
Enigma, which was patented a year later (Deavours and Kruh [1985]). The Enigma 
consisted of a set of rotating wired wheels, which performed a very sophisticated 
substitution cipher. After various improvements, it was adopted by the German 
Navy in 1926, the German Army in 1928, and the Air Force in 1935, and it was used 
by the Germans and Italians throughout World War II. The military Enigma had 
incredible 159 x 10 18 possible settings (cryptographic keys). The immense number 
of potential keys led Alan Turing to construct the first electronic computer, which 
helped break the Enigma ciphers in the course of the War. Today a Pentium-based 
computer can unscramble an Enigma-encrypted message within minutes. 
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1.2. ASYMMETRICAL CIPHERS (PUBLIC-KEY CRYPTOGRAPHY) 

A new surge of interest in cryptography was triggered by the upswing in electronic 
communications in the late 70s of the 20 th century. It was essential to enable 
secure communication between users who have never met before and share no secret 
cryptographic key. The question was how to distribute the key in a secure way. The 
solution was found by Whitfield Diffic and Martin E. Hellman, who invented public- 
key cryptography in 1976 (Diffic and Hellman [1976]). The ease of use of public- 
key cryptography, in turn, stimulated the boom of electronic commerce during the 
1990s. Notice, however, that asymmetric ciphers can provide users who have never 
met with a secret channel but - without the help of a Trusted Authority - it cannot 
prove the identity of users. 

Public-key cryptography requires two keys - the public key and the private key, 
which form a key pair. The recipient generates two keys, makes the public key 
public and keeps his private key in a secret place to ensure its private possession. 
The algorithm is designed in such a way that anyone can encrypt a message using 
the public key, however, only the legitimate recipient can decrypt the message using 
his/her private key. 

Of course, there is a problem of authenticity of the public key Therefore public 
keys are distributed through Trusted Authorities in practice. 

The security of public- key cryptography rests on various computational problems, 
which are believed to be intractable. The encryption and decryption algorithms uti- 
lize the so-called one-way functions. One-way functions are mathematical functions 
that are easy to compute in one direction, but their inversion is very difficult (by 
"difficult" it is meant that the number of the required elementary operations in- 
creases exponentially with the length of the input number). It is, e.g., very easy to 
multiply two prime numbers, but to factor the product of two large primes is already 
a difficult task. Other public-key cryptosystems are based, e.g., on the difficulty of 
the discrete logarithm problem in Abelian groups on elliptic curves or other finite 
groups. However, it is important to point out that no "one-way function" has been 
proved to be one-way; they are merely believed to be. 2 Public-key cryptography 
cannot provide unconditional security. We speak about computational security. 

Today the most widely used public-key system is the RSA cryptosystem. RSA 
was invented in 1977 by Ronald Rivest, Adi Shamir and Leonard Adleman (Rives 
et al. [1978]), whose names form the acronym. RSA exploits the difficulty of 
factoring large numbers. The receiver picks two large primes p and q and makes 
their product public. Further, he chooses two large natural numbers d and e [such 
that (de — 1) is divisible by (p — l)(q — 1)]. The product pq together with the 
number e constitutes the public key. Using this key, anyone can encrypt a message 
P (P < pq) employing a simple algorithm: C = P e mod pq, where C is the resulting 
cipher text. The cipher text can easily be decrypt if the private key d is known: 
P = C d mod pq. However, in order to invert the algorithm without knowing the 
private key d it is necessary to find the prime factors of the modulus. Although 
there are several other ways to attack the RSA system, the most promising one still 
seems to be to attempt to factor the modulus. 

In 1976 Richard Guy wrote (Guy [1976]): "I shall be surprised if anyone regularly 



2 This believe is based on the experience that even years of effort of many experts do not proof 
the opposite. 
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factors numbers of size 10 80 without special form during the present century" . The 
first challenge to break a 425-bit RSA key (equivalent to 129 decimal digits) was 
published in Scientific American in 1977 (Gardner [1977]). Ronald Rivest calculated 
that to factor a 125-digit number, the product of two 63-digit primes, would take 
at least 40 x 10 15 years (about one million times the age of the universe) with 
the best factoring algorithms then known. However, 17 years later, in 1994, new 
factoring algorithms had been discovered and computer power had advanced to 
such a level that it took 1600 computers (and two fax machines!) interconnected 
over the Internet only 8 months. Today a single Pentium-based PC could do the 
same job. 

While breaking 425-bit RSA required a large number of computers, in February 
1999 it was only 185 machines that managed to factor a 465-bit RSA modulus 
in 9 weeks. At that time, 95% of e-commerce on the Internet was protected by 
512-bit keys (155-digit number). A 512-bit number was factored in August 1999 
by 292 machines. That means that neither 512-bit keys provide sufficient security 
for anything more than very short-term security needs. All these challenges have 
served to estimate the amount of work and the cost of breaking a key of a certain 
size by public efforts. It is obviously much more difficult to estimate what can be 
achieved by private and governmental efforts with much larger budgets. 

A network of computers is not the only way to factor large integers. In 1999 
Adi Shamir proposed the TWINKLE device (Shamir [1999]) - a massively parallel 
optoelectronic factoring device, which is about three orders of magnitude faster 
than a conventional fast PC and can facilitate the factoring of 512- and 768-bit 
keys. Today it is already recommended to move to longer key lengths and to use 
key sizes of 2048 bits for corporate use and 4096 bits for valuable keys. 

Another menace to the security of public-key cryptography could originate from 
the construction of a quantum computer. The decryption using a quantum com- 
puter would take about the same time as the encryption, thereby making public- 
key cryptography worthless. Algorithms capable of doing so have already been 
developed (Shor [1994]) and first experiments with small-scale quantum computers 
successfully pave the way to more sophisticated devices (Vandersypen et al. [2001]). 

1.3. SYMMETRICAL CIPHERS (SECRET-KEY CRYPTOGRAPHY) 

In secret-key cryptography users must share a secret key beforehand. The common 
key is then used for both encryption and decryption. 3 Secure key distribution is 
the main drawback of secret-key cryptosystems. The security of communications 
is reduced to the security of secret-key distribution. In order to avoid the necessity 
of personal meetings or courier services to exchange the secret key, some users use 
public-key cryptography to distribute the key, which is then used in a secret-key 
cryptosystem. In such a case, even if the symmetric cipher was unconditionally 
secure the security of the whole system will be degraded to computational security. 
These so-called hybrid systems have gained a widespread use, because they combine 
the speed of secret-key systems with the efficiency of key management of public- 
key systems. They have been used for electronic purchases, financial transactions, 

3 Secret- key cryptography can provide its users even with unconditional security if they share a 
sufficiently long key (using Vernam cipher). But symmetric algorithms with the key shorter than 
the message are not unconditionally secure. 
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ATM transactions and PIN encryptions, identification and authentication of cellular 
phone conversations, electronic signatures, and many other applications, whose 
number is swelling. 

The most spread secret-key cryptosystem is the Data Encryption Standard (DES) 
and its variations. Due to its frequent use in the hybrid systems, it is the most often 
used cryptosystem ever. DES was developed by IBM and the U.S. government in 
1975 and it was adopted as a standard two years later. DES is an example of a block 
cipher - an algorithm that takes a fixed-length string of plaintext and transforms 
it through a series of operations into another ciphertext of the same length. In the 
case of DES, the block size is 64 bits. The transformation depends on the key. The 
algorithm consists of the cascade of 16 iterations of substitutions and transpositions 
and can easily be implemented in hardware, where it can reach very high speeds of 
encryption. 

DES has experienced a similar wave of attacks as public-key cryptosystems. The 
algorithm uses a 56-bit key, which is reused to encrypt the entire message. As a 
consequence, it is only computationally secure. In 1997, RSA Data Security, Inc. 
published their first challenge to decrypt a plaintext message scrambled by DES. 
It took 96 days to break it. The researchers applied "brute force" by searching 
the entire keyspace of 2 56 possible keys on a large number of computers (Wiener 
[1997]). In January 1998, a new prize was offered. The winner of the contest used 
the idle time of computers connected to the Internet. More than 50,000 CPUs were 
linked together. The key was found after 41 days (DES Cracker 1). Another group 
of codebreakers chose a different approach. They built a single machine, which 
revealed the encrypted message "It's time for those 128-, 192-, and 256-bit keys" 
after only 56 hours, searching at a rate of 88 billion keys per second (DES Cracker 
2). 

In the challenge in January 1999, the two previous winners combined their efforts 
to find the key in only 22 hours and 15 minutes, testing 245 billion keys per second. 
In 1993, Michael Wiener designed a DES key search machine which, based on 1997's 
technology, would break DES in 3.5 hours (Wiener [1997]). The same machine 
based on 2000's technology would take only 100 seconds (Silverman [2000]). The 
exhaustive search is not the only possible attack on DES. During the 1990s, other 
successful attacks were proposed that exploit the internal structure of the cipher 
(Biham and Knudsen [1998]). 

Cryptographers attempted to improve the security of DES. Triple DES, DESX 
and other modifications were developed. In October 2000, a four-year effort to 
replace the aging DES culminated in the announcement of a new standard, the 
Advanced Encryption Standard (AES). It uses blocks of 128 bits and key sizes of 
128, 192, and 256 bits. This standard was approved in December 2001 and went 
into effect in May 2002. How long will it last? 

In summary, the security of conventional techniques relies on the assumption of 
limited advancement of mathematical algorithms and computational power in the 
foreseeable future, and also on limited financial resources available to a potential 
adversary. Computationally secure cryptosystems, no matter whether public- or 
secret-key, will always be threatened by breakthroughs, which are difficult to pre- 
dict, and even steady progress of code-breaking allows the adversary to "reach back 
in time" and break older, earlier captured, communications encrypted with weaker 
keys. 
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Another common problem of conventional cryptographic methods is the so-called 
side-channel cryptanalysis (Rosa [2001]). Side channels are undesirable ways through 
which information related to the activity of the cryptographic device can leak out. 
The attacks based on side-channel information do not assault the mathematical 
structure of cryptosystems, but their particular implementations. It is possible to 
gain information by measuring the amount of time needed to perform some opera- 
tion, by measuring power consumption, heat radiation or electromagnetic emana- 
tion. The problem of side channels will be further discussed in Section 8.7. 

1.4. VERNAM CIPHER, KEY DISTRIBUTION PROBLEM 

Classical cryptography can provide an unbreakable cipher, which resists adversaries 
with unlimited computational and technological power - the Vernam cipher. The 
Vernam cipher was invented in 1917 by the AT&T engineer Gilbert S. Vernam (Ver- 
nam [1926]), who thought it would become widely used for automatic encryption 
and decryption of telegraph messages. 

The Vernam cipher belongs to the symmetric secret-key ciphers, i.e., the same 
key is used for both, encryption and decryption. The principle of the cipher is that 
if a random key is added to a message, the bits of the resulting string are also 
random and carry no information about the message. If we use the binary logic, 
unlike Vernam who worked with a 26-letter alphabet, the encryption algorithm E 
can be written as 



where M — (Ml, M2, . . . , M„) is the message to be encrypted and K = 
(K\,K 2 , ■ ■ ■ , K n ) is the key consisting of random bits. The message and the key are 
added bitwise modulo 2, or exclusive OR without carries. The decryption D of ci- 
phertext C = Ek(M) is identical to encryption, because double modulo-2 addition 
is the identity, therefore 



For this system to be unconditionally secure, three requirements are imposed on the 
key: (1) The key must be as long as the message; (2) it must be purely random; (3) 
it may be used only once. 4 This was shown by Claude E. Shannon (Shannon [1949]), 
who laid the foundations of communication theory from the cryptographic point 
of view and compared various cryptosystems with respect to their secrecy. Until 
1949 when his paper was published, the Vernam cipher was considered unbreakable, 
but it was not mathematically proved. If any of these requirements is not fulfilled, 
the security of the system is jeopardized. A good example is the revelation of the 
WWII atomic spies because of repetitive use of the key incorrectly prepared by the 
KGB (NSA publications). 

The main drawback of the Vernam cipher is the necessity to distribute a secret 
key as long as the message, which prevented it from wider use. The cipher has so 
far found applications mostly in the military and diplomatic services. It is here 

4 If a key K is used twice to encode two different messages M and M' into ciphertexts C and 
C" then one can sec that (Ci +C[ , C 2 +C 2 , . . .,C n + C' n ) mod 2 = (Mi +M{, M 2 + M^, . . . , M n + 
M' n ) mod 2. 



E K (M) = (Mi +K 1 ,M 2 + K 2 ,...,M n + K n ) mod 2, 



(1.1) 



M = D K (C) = {C 1 +K 1 ,C 2 + K 2 ,...,C n + K n ) mod 2. 



(1.2) 
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that quantum mechanics comes in handy and readily offers a solution. Quantum 
mechanics gives us the power to detect eavesdropping. Taking into account the 
problem of authentication, that requires the communication parties to share a cer- 
tain amount of secret information, quantum cryptography provides a tool for an 
unlimited secret-key growing. 

§ 2. Quantum key distribution 

2.1. THE PRINCIPLE, EAVESDROPPING CAN BE DETECTED 

As mentioned above, the main problem of secret-key cryptosystems is the secure 
distribution of keys. While the security of classical cryptographic methods can be 
undermined by advances in technology and mathematical algorithms, the quantum 
approach can provide unconditional security. The principle of quantum cryptogra- 
phy consists in the use of non-orthogonal quantum states. Its security is guaranteed 
by the Heisenberg uncertainty principle, which does not allow us to discriminate 
non-orthogonal states with certainty and without disturbing the measured system. 

Within the framework of classical physics, it is impossible to reveal potential 
eavesdropping, because information encoded into any property of a classical object 
can be acquired without affecting the state of the object. All classical signals 
can be monitored passively. In classical communications, one bit of information is 
encoded into two distinguishable states of billions of photons, electrons, atoms or 
other carriers. It is always possible to passively listen in by splitting off part of the 
signal and performing a measurement on it. 

In quantum cryptosystems the inviolatencss of the channel is constantly tested 
by the use of non-orthogonal quantum states as information carriers. Because 
information is encoded into states with non-zero overlap, it cannot be read, copied 
or split without introducing detectable disturbances. 

It should be noted that quantum mechanics does not avert eavesdropping; it only 
enables us to detect the presence of an eavesdropper. Since only the cryptographic 
key is transmitted, no information leak can take place when someone attempts to 
listen in. When discrepancies are found, the key is simply discarded and the users 
repeat the procedure to generate a new key. 

2.2. QUANTUM MEASUREMENT 

Measurement in quantum physics differs substantially from the measurement in 
classical physics. According to quantum theory any measurement can distinguish 
with certainty (i.e. without errors or inconclusive results) only among specific or- 
thogonal state vectors (that form the so called measurement basis) . Non-orthogonal 
states cannot be distinguished perfectly Furthermore, quantum measurement dis- 
turbs the system in general. If the system is in a state that cannot be expressed 
as a multiple of one of the measurement-basis vectors but only as their linear su- 
perposition then this state is changed after the measurement. The original state 
is "forgotten" during the measurement process and randomly changed to the state 
corresponding to one of the basis vectors. Right this is the key feature of the quan- 
tum world that enables to detect the eavesdropping. Eavesdropping is nothing else 
than a kind of measurement on the information carrier. If non-orthogonal states 
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are used in transmission, eavesdropping must disturb some of them, i.e. induce 
errors. With a suitably designed protocol, these errors can later be discovered by 
the legitimate users of the channel, as will be seen in Section 2.4. 

2.3. QUANTUM STATES CANNOT BE CLONED 

The linearity of quantum mechanics prohibits from cloning arbitrary unknown 
quantum states (Wooters and Zurek [1982]). A device intended to make a copy 
of, say, a photon with horizontal polarization \H), needs to perform the following 
operation 

|copier ) | blank) |F) -» |copier 1 )|.ff)|.H'), (2.1) 
and similarly for orthogonal vertical polarization \ V) 

|copier )|blank)|U) -» |copicr 2 )|U)|U), (2.2) 

where |copier ) is the initial state of the copier, [copier^ and |copier 2 ) are its 
final states, and | blank) denotes the initial "empty" state of the ancillary system 
(photon) to which the information (polarization state) should be copied. However, 
if we want to copy a linear superposition of states \H) and \V), we obtain 

|copier )|blank)(a \H) + (3 \V)) = a |copier )|blank)|H) + (3 |copicr )|blank)|U) 

-» a | copies ) | if) | F) + /?|copier 2 )|V)|V) ) (2.3) 

which is different from the required state 

|copier 3 ) (a \H) + 0\V)) (a \H) + (3\V)) 

= |copicr 3 ) (a 2 \H)\H)+ap\H)\V)+/3a\V)\H)+/3 2 \V)\V)) , (2.4) 

regardless of whether states | copier : ) and |copier 2 ) are identical (and equal to 
|copier 3 )) or not. The unitarity of quantum evolution requires that 

(H\V) (blank|blank) (copier |copier ) = (H\V) (H\V) (copier 1 |copier 2 ), (2.5) 

what can be satisfied only when the states to be copied are orthogonal. 

Thus, the general state of a quantum object cannot be copied precisely. Dupli- 
cating can be done only approximately so that any of the resulting states is not 
exactly equal to the original. An optimal universal machine for approximate cloning 
of qubits was first designed by Buzek and Hillery [1996]. 

2.4. PROTOCOL BB84 

Quantum key distribution (QKD) was born in 1984 when Charles H. Bennett and 
Gilles Brassard came up with an idea of how to securely distribute a random cryp- 
tographic key with the help of quantum mechanics (Bennett and Brassard [1984]). 
Hence, the protocol is called BB84. Drawing upon Stephen Wiesner's ideas about 
unforgcable quantum money (Wiesner [1983], original manuscript written circa 
1969), Bennett and Brassard presented a protocol that allows users to establish 
an identical and purely random sequence of bits at two different locations, while 
allowing to reveal any eavesdropping with a very high probability. 
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The crucial point of the BB84 protocol is the use of two conjugated bases. The 
sender of the message encodes logical zeros and ones into two orthogonal states 
of a quantum system. But for each bit she randomly changes this pair of states 

- i.e., she chooses one of two bases. Each state vector of one basis has equal- 
length projections onto all vectors of the other basis. That is, if a measurement 
on a system prepared in one basis is performed in the other basis, its outcome is 
entirely random and the system "loses all the memory" of its previous state. In 
fact, the non-orthogonal signal states are used for testing the transmission channel 

- checking it for eavesdropping. 

We need not consider any particular quantum system. However, in order to pro- 
vide an example let us suppose that information is encoded into polarization states 
of individual quanta of light - photons. One basis can consist, e.g., of horizontal 
and vertical polarization states of photons, \H) and \ V), resp.; let us call this basis 
rectilinear. The other basis, diagonal, would consist of states of linear polarizations 
at 45° (anti-diagonal), \A), and 135° (diagonal), \D), whereas 

\A) = +=(\H) + \V)), 

\D) = ±(\H)-\V)). (2.6) 

These four states satisfy the following relations 

(H\V) = (A\D) = 
(H\H) = (V\V) = (A\A) = (D\D) = 1, (2.7) 
\{H\A)f = \{H\D)f = |<UL4)| 2 = \{V\D)f = 1/2. 

Any measurement in the rectilinear (diagonal) basis on photons prepared in the 
diagonal (rectilinear) basis will yield random outcomes with equal probabilities. 
On the other hand, measurements performed in the basis identical to the basis of 
preparation of states will produce deterministic results. 5 

At the beginning, the two parties that wish to communicate, traditionally called 
Alice and Bob, agree that, e.g., \H) and \ A) stand for the bit value "0", and \ V) and 
\D) stand for a bit value "1" . Now Alice, the sender, generates a sequence of random 
bits that she wants to transmit, and randomly and independently for each bit she 
chooses her encoding basis, rectilinear or diagonal. Physically it means that she 
transmits photons in the four polarization states \H), \ V), \A), and \D) with equally 
distributed frequencies. Bob, the receiver, randomly and independently of Alice, 
chooses his measurement bases, either rectilinear or diagonal. Statistically, their 
bases coincide in 50% of cases, when Bob's measurements provide deterministic 
outcomes and perfectly agree with Alice's bits. In order to know when the outcomes 
were deterministic, Alice and Bob need an auxiliary public channel to tell each 
other what basis they had used for each transmitted and detected photon. This 
classical channel may be tapped, because it transmits only information about the 
used bases, not about the particular outcomes of the measurements. Whenever 

5 We could also consider a third basis consisting of right and left circular polarizations whose 
vectors satisfy relations analogous to Eqs. (2.7). Any two of these three mentioned bases suffice 
for secure quantum key distribution. 
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Tabic 1: BB84 Protocol. 1 st line - Alice's random bits. 2 nd line - Alice's random 
polarization bases; "+" and "x" stand for the rectilinear and diagonal bases, resp. 
3 rd line - actual polarization of transmitted photons. 4 th line - Bob's random 
detection bases. 5 th line - polarization of detected photons; 'rand' stands for a 
random outcome. 6 th line - Bob publicly announces his measurement bases. 7 th 
line - Alice publicly replies when Bob set the correct measurement basis. 8 th line 
- the cryptographic key. 

their bases coincide, Alice and Bob keep the bit. On the other hand, the bit is 
discarded when they chose different bases, or Bob's detector failed to register a 
photon due to imperfect efficiency of detectors or the photon was lost somewhere 
on the way. Any potential eavesdropper, traditionally called Eve, who listens into 
this conversation can only learn whether they both set the rectilinear or diagonal 
basis, but not whether Alice had sent a "0" or "1" . The protocol is represented in 
Table 2.4. 

2.5. EAVESDROPPING, INTERCEPT-RESEND ATTACK 

If Eve is present and wants to eavesdrop on the channel, she cannot passively 
monitor the transmissions (single quantum cannot be split and its state cannot 
be copied without introducing detectable disturbances, as discussed above). What 
Eve can do is either to intercept the photons sent by Alice, perform measurements 
on them and resend them to Bob or to attach some probe to the signal photon, 
i.e., to let interact some system in her hands with the quantum system carrying 
information, keep it and measure it later. To understand the effect of eavesdropping 
we will consider first only the intercept-resend attack. As Alice alternates her 
encoding bases at random, Eve does not know the basis to make a measurement 
in. She must choose her measurement bases at random as well. Half the time she 
guesses right and she resends correctly polarized photons. In 50% of cases, though, 
she measures in the wrong basis, which produces errors. For example, let us suppose 
that Alice sends a "1" in the rectilinear basis, i.e., state \V), Eve measures in the 
diagonal basis, and Bob measures in the rectilinear basis (otherwise the bit would 
be discarded). Now, no matter whether Eve detects and resends \A) or \D), Bob 
has a 50% chance to get \H), i.e., a binary "0" , instead of \V). Thus, if we consider 
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a continuous intercept-resend eavesdropping, Bob finds on average errors in 25% 
of those bits that he successfully detects. If Alice and Bob agree to disclose part 
of their strings in order to compare them, they can discover these errors. When 
they set identical bases, their bit strings should be in perfect agreement. When 
discrepancies are found, Eve is suspected of tampering with the photons, and the 
cryptographic key is thrown away. Thus, no information leakage occurs even in 
the case of eavesdropping. If their strings are identical, the key is deemed secure 
and secret, 6 and can be used for the above-mentioned Vernam cipher to encrypt 
communications. Since the bits used to test for eavesdropping are communicated 
over the open public channel, they must always be discarded and only the remaining 
bits constitute the key. An intercept-resend attack is not the optimal eavesdropping 
strategy. However, any interaction with the data carriers that can provide Eve with 
any information on the key always cause errors in transmission. 

In order to leave the original states intact, Eve could try to attach a probe and 
let it interact with the information carrier: 

\a)\E) - \a)\E a ) and 

\b)\E) -+ \b)\E b ), (2.8) 

where \a) and \b) denote two possible states of information carrier, \E) is the initial 
state of Eve's probe, and \E a ) and \Ef,) are its final states. Any unitary interaction 
has to conserve the following inner product 

(a\b)(E\E) = (a\b)(E a \E b ). (2.9) 

If the states \a) and \b) are non-orthogonal, (a\b) ^ 0, the equality (2.9) can be ful- 
filled only if (E a \Et,) — 1, i.e., when the final states of Eve's probe are identical. Eve 
thus cannot gain any information. It is apparent that for Eve to discriminate be- 
tween two nonorthogonal states she must disturb the state of the measured objects, 
and thereby inevitably cause errors in transmissions. A more detailed discussion of 
sophisticated eavesdropping strategies will be provided in Section 8. 

It should be mentioned that no physical apparatus is perfect and noiseless. Alice 
and Bob will always find discrepancies, even in the absence of Eve. As they cannot 
set apart errors stemming from eavesdropping and those from the noise of the 
apparatus, they conservatively attribute all the errors in transmissions to Eve. 
From the number of errors, the amount of information that has potentially leaked 
to Eve can be estimated. Afterwards Alice and Bob reconcile their bit strings 
using an error correction technique to arrive at an identical sequence of bits. This 
sequence is not completely secret. Eve might have partial knowledge about it. 
To eliminate this knowledge, they run a procedure called privacy amplification. 
Privacy amplification is a method enabling them to distill a secret bit string from 
their data in such a way that Eve would know even a single bit of the distilled 
string only with an arbitrarily small probability. Both of these procedures, error 
correction and privacy amplification, will be described in detail in Section 7. 



6 The probability that eavesdropping will not be detected decreases exponentially with the 
increasing number of compared bits. 



14 



FULL 



§ 3. Some other discrete protocols for QKD 

3.1. TWO-STATE PROTOCOL, B92 

Besides BB84, other protocols were designed. In 1992, C. H. Bennett showed (Ben- 
nett [1992b]) that two nonorthogonal states are already sufficient to implement 
secure QKD. Let Alice choose two nonorthogonal states and send them to Bob 
in random order. When Bob performs projections onto subspaces orthogonal to 
the signal states, he sometimes learns Alice's bit with certainty and sometimes he 
obtains an inconclusive outcome. After the transmission, Bob tells Alice when he 
detected a bit. In this case, he does not announce the used basis, because a basis 
in which he detected a photon, uniquely identifies the bit Alice had sent. This 
protocol is usually called B92. 

However, such a scheme is secure only in lossless systems or if the losses are 
very low. in the case of higher losses, an eavesdropper could sit in the middle and 
make measurements on the quantum states. If she has obtained an inconclusive 
result, she blocks the signal, while if she has detected the sent state, she re-sends 
a correct copy to Bob, because she knows the state with certainty. To compensate 
for the blocked photons, she can send a pulse of higher intensity so that Bob cannot 
observe any decrease in the expected transmission rate. 



3.2. B92 PROTOCOL WITH A STRONG REFERENCE PULSE 

One possibility to counteract the above mentioned eavesdropping strategy against 
the B92 protocol is to encode bits into a phase difference between a dim pulse (with 
less than one photon in average) and a classical strong reference pulse (Bennett 
[1992b]). It means the laser pulse is split into strong and weak parts on a highly 
unbalanced beam splitter. Both Alice and Bob can introduce a phase shift between 
these pulses. On Bob's side both pulses are combined again on an unbalanced beam 
splitter where they interfere. Bob can also monitor the presence of all strong pulses. 

Now, when Eve gets an inconclusive result, she cannot suppress the strong pulse, 
because Bob must receive all of them. However, when Eve blocks only the dim pulse, 
interference of the bright pulse with vacuum (instead of the dim pulse) will lead to 
errors. Similarly, if Eve tries to fabricate her own dim or bright pulse (or both of 
them) and send it (them) to Bob she will inevitably cause detectable errors. Even 
though the B92 protocol can be unconditionally secure if properly implemented, 
Eve can acquire now more information on the key for a given disturbance than in 
the the case of the BB84 protocol (Fuchs et al. [1997]). 



3.3. SIX-STATE PROTOCOL 

In the six-state protocol, three non-orthogonal bases are used (Bruss [1998] , Bcchmann- 
Pasquinucci and Gisin [1999]) that Alice and Bob randomly alternate. If we denote 
the two conjugate bases employed in the BB84 protocol as {|0), |1)} and {|0), |1)}, 
where 

|0> = -L(|0> + |1», |1> = -L(|0>-|1», (3.1) 
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then the third basis is {|0), |1)} with 

|S> = -^(|0>+i|l», |l) = -L(|0)-z|l)). (3.2) 

The probability that Alice and Bob choose the same basis is 1/3 now. 7 But this 
disadvantage against BB84 is outweigh by the fact that eavesdropping causes higher 
error rate. For example, a continuous intercept-resend attack induces in average 
33 % of errors compared to 25 % in the case of the BB84 protocol. In general, the 
maximal mutual information between Eve and Alice is smaller than in the BB84 
scenario. Besides, the symmetry of the signal states simplifies the security analysis. 

3.4. SARG PROTOCOL 

The SARG protocol (called after the names of its authors) was proposed to beat the 
photon-number splitting attack (PNS) 8 in QKD schemes based on weak laser pulses. 
It relies on Eve's inability to perfectly distinguish between two non-orthogonal 
states (Scarani et al. [2004], Branciard et al. [2005]). In contrast to BB84, two 
values of a classical bit are encoded into pairs of non-orthogonal states. However, 
to implement the SARG protocol one can keep the same hardware as for BB84 and 
modify only the classical communication between Alice and Bob. Alice prepares 
four quantum states and Bob makes measurements exactly as in the BB84 protocol. 
But Alice does not reveal the basis but the pair of non-orthogonal signal states such 
that one of these states is the one she has sent. Bob guesses correctly the bit if he 
finds a state orthogonal to one of two announced non-orthogonal states (for details 
see Scarani et al. [2004]). In comparison with the BB84 protocol, SARG enables 
to increase the secure QKD radius when the source is not a single-photon source. 

3.5. DECOY-STATE PROTOCOLS 

The decoy-state method represents another way for counteract the PNS attack on 
QKD schemes using weak laser pulses (Hwang [2003], Wang [2004a], Wang [2004b], 
Lo et al. [2005b], Ma [2004]). It can substantially prolong the distance to which the 
secure communication is possible. If this method is used with the BB84 protocol the 
secure-key rate is proportional to the overall transmittance even if the light source 
is an attenuated laser (the secure-key rate for standard BB84 is linearly dependent 
on transmittance only in the case of single-photon source, with weak laser pules it 
is proportional to the square of the transmittance). 

The idea is based on the observation that by adding some decoy states, one can 
estimate the behavior of vacuum, single-photon, and multi-photon states individ- 
ually. Hence, Alice sends sometimes an additional, decoy, state with a different 
intensity than the states used for the key transmission (but with the same wave- 
length, timing, etc.). These decoy states serve only for testing Eve's presence. Eve 

^Factors like 1/3 for the six-state protocol or 1/2 for the BB84 arc not essential. In fact, the 
communication can proceed in only one orthogonal basis and the other non-orthogonal states can 
be send randomly from time to time just to test the channel for the presence of an eavesdrop- 
per. So if the probabilities of bases are "biased" in favor of one of the bases, these factors can 
asymptotically reach unity (Lo et al. [2005a]). 

8 In the photon-number splitting attack Eve exploits multi-photon states present in weak laser 
pulses. See Section 8.5.4. 
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does not know when Alice sends the decoy states and she cannot identify them. 
Changes, that Eve's PNS attack makes on these decoy states, enable Alice and Bob 
to detect the PNS eavesdropping. 

The essence of the decoy-state method consists in the following fact: The condi- 
tional probability Y n that Bob detects a signal - providing that Alice's source has 
emitted an n-photon state - must be the same both for the signal and decoy states. 
When no eavesdropper is present it must be equal to the following value given by 
the parameters of the apparatus: 



where rj is the total transmission efficiency and Pdark is the probability of the de- 
tector dark count. The PNS attack inevitably changes some Y n . The quantities 
Y n are not directly measurable. But what Bob can directly determine is the total 
detection rate for a given mean photon number jj, of Alice's pulses: 



If Alice and Bob use decoy states with different mean photon numbers they can es- 
timate values of Y n for some photon numbers n and check whether they correspond 
to the expected values. 

The security of the decoy-state method with the BB84 protocol under the "para- 
noid" assumptions (Gottesman et al. [2004] ) has been analyzed by Lo et al. [2005b] . 

3.6. ENTANGLEMENT-BASED PROTOCOLS 

Another class of QKD protocols is based on quantum entanglement. The security 
of the original proposal was ensured by checking the violation of Bell's inequalities 
(Ekcrt [1991]). The simplified version of the protocol works in a very similar way 
as BB84 (Bennett et al. [1992d]). 

3.6.1. Entanglement, Bell's inequalities 

Two or more quantum systems are entangled if their global state cannot be ex- 
pressed as a direct product or a statistical mixture of direct products of any quan- 
tum states of individual systems. Entanglement leads to many interesting effects 
unknown in classical physics. It lies in the basis of quantum teleportation (Bennett 
et al. [1993]) and it is responsible for the effectiveness of quantum computation 
(Nielsen and Chuang [2000]). Asher Peres said that "Entanglement is a trick that 
quantum magicians use to produce phenomena that cannot be imitated by classical 
magicians." (Bruss [2002]). 

In 1935 Einstein, Podolsky and Rosen (Einstein et al. [1935]) formulated a 
gedanken experiment employing two particles prepared in an entangled state to 
argument against the completeness of quantum theory. They used the fact that 
the result of any potential measurement on one subsystem of the properly chosen 
entangled pair can be predicted with certainty after the proper measurement on the 
other subsystem. Following this fact and a few "natural" assumptions (namely the 
assumptions of locality and reality) they concluded that there must simultaneously 
exist "elements of reality" for two complementary observables. 



yjeignal = y? decoy = ^ = [!_(!_ r? )«](l _ p dark ) + 



(3.3) 




(3.4) 
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However, in 1964 John Bell (Bell [1964]) has shown that there is no local real- 
istic theory that would give the same predictions as quantum mechanics. Namely, 
quantum mechanics predicts different values of certain correlations of measurement 
results on a bipartite system in a specific entangled state. He derived his famous 
inequalities that must be satisfied by any local realistic theory but that may be 
violated by quantum theory. 

Let us denote A(ni) and B(n 2 ) random variables, getting discrete values ±1, 
corresponding to measurement results on two separated but somehow correlated 
particles, where the settings of respective measurement devices are represented by 
unit vectors ni and n 2 (note that A depends only on ni and B only on n 2 - 
this reflects the locality condition). The randomness of A and B is supposed to 
be caused only by some random parameters A that may be common for both the 
particles and that we do not know (the premise of reality). The Bell inequality, in 
the form derived by Clauser et al. [1969], states that: 

|C(n 1 ,n 2 ) + C(ni,n 2 ) + C(n 1 ,n 2 )-C(n' 1 ,n 2 )| < 2, (3.5) 

where C(ni,n 2 ) is the correlation function: 

C(n 1 ,n 2 ) = (A(ni)B(n 2 )) = J A(m, X)B{n 2 , A) dp x . (3.6) 

Now, let us try to describe such a situation by the quantum language, assuming 
two spin-half particles in the following entangled state: 

IV>> - ^(|n,+)i|n,-) 2 -|n,-)i|n,+) 2 ), (3.7) 

where state vectors |n, ±) correspond to two orthogonal projections of spin to di- 
rection n. Then the quantum prediction for correlation function reads: 

C(ni, n 2 ) = (^|(m • o-i)(n 2 ■ <x 2 )|V>>, (3.8) 

where <n, er 2 are vectors of Pauli matrices. If we choose the settings of the mea- 
surement apparatuses in such a way that n 2 with ni , ni with n 2 and with n 2 
include angle 45°, while with n 2 include angle 135°, we readily find that 

|C(m, n 2 ) + C(ni, n 2 ) + C(m, n 2 ) - C(n[, n 2 )| = 2^2 > 2. (3.9) 
3.6.2. Original Ekert's protocol and its simplified form 

According to Ekert's protocol (Ekert [1991]), Alice and Bob each obtain one particle 
from a pair of spin- 1/2 particles in the state (3.7). (In fact, it does not matter 
whether they share two entangled spin-1/2 particles or, e.g., two photons with 
entangled polarizations.) Alice and Bob perform measurements on their respective 
particles in three bases defined by three orientations of their measurement devices 
(e.g., Stern-Gerlach apparatuses). For simplicity let us suppose that they use only 
directions lying in the plane perpendicular to the trajectory of the particles. Alice's 
bases make angles with respect to the vertical 0°,45 o ,90°, and Bob's bases are 
making 45°, 90°, 135°. There are nine possible combinations. After the quantum 
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transmission, during which Alice and Bob randomly and independently set their 
measurement bases, the settings are publicly announced. When identical bases 
were used, the outcomes of their measurements are correlated and become the 
cryptographic key. The probability that Alice and Bob use the same basis is 2/9. 
The outcomes of measurements in the other bases are used to verify the violation 
of the Clauser-Horne-Shimony-Holt inequality (3.5). An eavesdropper attempting 
to correlate his probe with the other two particles would disturb the purity of the 
singlet state (3.7), which would result in a smaller violation of the inequality or no 
violation at all. 

A year later Bennett et al. [1992d] proposed a simpler entanglement-based pro- 
tocol without invoking directly Bell's theorem. Here, both Alice and Bob choose 
only from two bases corresponding to two perpendicular orientations of their spin- 
measurement devices in a way very similar to BB84 protocol. In fact, the only 
difference from BB84 is that Alice does not send particles in a chosen spin (or po- 
larization) state but she measures her particle from the entangled pair in one of two 
conjugated bases. She must select bases randomly and independently from Bob. 
The rest is the same as in BB84: After the transmission Alice and Bob compare 
their bases and keeps only those results when they used the same bases. 

3.6.3. Passive setup 

The system for entanglement-based QKD can be designed even in such a way that 
it can be operated entirely in a passive regime without any extern-driven elements 
(e.g., polarization rotators or phase modulators; Rarity et al. [1994]). Each particle 
from the entangled pair "may freely decide" on a beamsplitter in which basis it will 
be measured. It means, both the random key bits and random measurement basis 
are chosen directly by the genuine randomness of the nature. 

§ 4. Experiments 

4.1. QKD WITH WEAK LASER PULSES 

Attenuated lasers are often used as sources in practical QKD devices. If the spectral 
width of the laser pulses is much smaller than their mean frequency, the state of 
light can well be approximated by a monochromatic coherent state. The photon- 
number distribution of the coherent state is governed by the Poisson statistics. The 
multi-photon pulses can cause problems due to the PNS attack. Eve could always 
split off one photon and perform a measurement on it without introducing an error. 
This potentially leaked information must be taken into account (see Sections 8.5.3 
and 8.5.4). The trick how to beat this attack appears in the decoy-state method 
(see Section 3.5). 

4.1.1. Polarization encoding 

The very first QKD experiment that took place in 1989 (Bennett et al. [1989], 
Bennett et al. [1992a]) was based on polarization encoding for the BB84 protocol. 
For the description of the protocol, we refer the reader to Section 2. 

A light-emitting diode (LED) generated light pulses that were subsequently at- 
tenuated by an interference filter and polarized by a polarizer (see Fig. 1). The 
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Figure 1: First QKD experiment (Bennett et al. [1989]). 



qubits were encoded in the polarization of photons by means of Pockels cells. The 
quantum channel was 32 cm of free air. Bob analyzed the polarization states using 
a Wollaston prism, which was preceded by another Pockels cell to choose his polar- 
ization basis. The output ports of the prism were monitored by photomultipliers. 

Four years later, Gisin's group from the University of Geneva replaced the free-air 
optical path by a 1km optical fiber (Miiller et al. [1993], Breguet et al. [1994]). A 
semiconductor laser at 800 nm was used to generate light pulses that were detected 
by silicon avalanche photodiodes. Since the optical fiber deforms the polarization 
state of light, a manually adjustable polarization controller was employed to com- 
pensate for temporal changes of polarization. 

Bends and twists of the optical fiber induce birefringence, which gives rise to 
different velocities of the orthogonal polarization components of light that result 
in the change of the polarization state. Since the degree of polarization degrades 
slowly in fibers, the same stress-induced birefringence can, on the other hand, be 
used to compensate for this deformation. A fiber spool of a suitable diameter can 
act as a fractional wave plate. 

Franson and lives [1994] proposed a QKD device with an active polarization- 
alignment feedback loop. Such a system was demonstrated to work over a distance 
of 1km (Franson and Jacobs [1995]). 

The first experiment with Alice and Bob being placed in different laboratories (in 
this case even different towns of Geneva and Nyon) was performed by the Geneva 
group (Miiller et al. [1995], Miiller et al. [1996]). Error rates of only 3-4 % were 
achieved between two stations, connected by a 23 km fiber deployed under Lake 
Geneva. In order to reduce fiber losses, a laser at 1.3 //m was used and the photons 
were detected by liquid- nitrogen-cooled germanium avalanche photodiodes. 

Using optical fiber is not the only way to implement QKD at a distance. An- 
other approach is to try to communicate directly through free space. Unlike fibers, 
the atmosphere is non-bircfringent, thereby polarization encoding is very suitable. 
The feasibility of free-space QKD was shown by Jacobs and Franson [1996], who 
managed to communicate over 150 m in a fluorescent-tube-illuminated corridor and 
over 75 m outdoors in daylight. It was the first free-space implementation of QKD 
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Figure 2: Setup for phase-encoded QKD with a double Mach-Zehner interferometer. 



after the celebrated 1989 Bennett and Brassard experiment and there were more 
to come. The Los Alamos group first exchanged keys at 1 km by night bouncing 
the photons between mirrors (Buttler et al. [1998a], Buttler et al. [1998b]), then 
point-to-point communication over 0.5 km in daylight was performed (Hughes et 
al. [2000a]) and eventually over 1.6km in daylight (Buttler et al. [2000]). The dis- 
tance 1.9 km at night were covered by Gorman et al. [2001]. Hughes et al. [2002] 
then demonstrated free-space QKD over 10 km. Free-space QKD over the largest 
distance so far was performed by the Munich group of H. Weinfurtcr (Kurtsiefer et 
al. [2002a], Kurtsiefer et al. [2002b]). Unlike the other groups, they moved to the 
high altitudes of the Alps to take advantage of thinner air and less air turbulence. 
Alice was located on the summit of Zugspitze (2962 m) and Bob was on a 23.4 km 
distant Karwendelspitze (2244 m). 

Demonstration of free-space QKD with a single- photon source based on a nitrogen- 
vacancy center in diamond (see Section 5.1.3) was done by Beveratos et al. [2002] 
(indoor experiment over 50 m) and by Alleaume et al. [2004] (this later experiment 
of the same group was operated outdoors over 30m at night). 

4.1.2. Phase encoding 

In this method, different polarizations (used in polarization encoding) are replaced 
by different phase shifts between two arms of the Mach-Zehnder interferometer. 
Alice controls the phase shift in one arm of the interferometer, Bob controls the 
phase shift in the other arm. If Alice's and Bob's phase shifts are the same or differ 
by 180°, then the behavior of the photon at Bob's beam splitter is deterministic 
because of constructive interference in one of the outputs and destructive interfer- 
ence in the other one. If the total phase shift between the arms is different from an 
integer multiple of 180°, photons are detected randomly at both detectors. 

in the case of the BB84 protocol, Alice encodes bit values into four non-orthogonal 
quantum states. She sends weak light pulses to the interferometer and sets ran- 
domly phase (j>A to 0°, 90°, 180°, or 270°. Bobs sets randomly (and independently 
of Alice) phase 4>b to 0° or 90°. These two values correspond to the measurement 
in "rectilinear" and "diagonal" bases, respectively: 



<t>A +■ 


0° . 


."1", 180°... "0" 


<t>B +: 


0° 


X: 


90° . 


. "1", 270° ... "0" 


X: 


90° 



However, in practice it is impossible to keep the same and stable phase condi- 
tions in two different arms of the Mach-Zehnder interferometer over long distances. 
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The way how to solve this problem was proposed already by Bennett [1992b]. Two 
communicating parties can employ a time multiplex and use only one optical fibre 
to interconnect their devices (see Fig. 2). Now two unbalanced Mach-Zehnder in- 
terferometers are used. The path lengths difference between the longer and shorter 
arm of each interferometer is larger than the width of the laser pulse. 9 But the 
path differences are the same for both interferometers. The case where the photon 
goes first through the longer (L) arm and then through the shorter (S) one is indis- 
tinguishable from the case when it first passes the shorter and then the longer arm. 
This path indistinguishability results in the interference at the last beam splitter. 
Thus for the "central peak" (see the right side of Fig. 2) the system behaves exactly 
in the same way as a single balanced Mach-Zehnder interferometer. This peak is 
selected by the proper timing of detection and the events when the photon passed 
either through both shorter or both longer arms are ignored. 

The first system based on phase encoding was build by Townsend et al. [1993a] 
(see also Townsend et al. [1993b]). The signal was sent through 10km of fiber in 
a spool. Later the system was modified so that the polarization in long arms was 
rotated by 90° in both interferometers and the time multiplex was supplemented 
by a polarization multiplex. That is, at the output of Alice's interferometer and 
at the input of Bob's interferometer there were polarization beam splitters. This 
technique suppresses the lateral non-interfering peaks (Townsend [1994]). Further 
the distance were prolonged to 30km (Marand and Townsend [1995]). Townsend 
[1997] also tested a wavelength-division multiplex to execute both the QKD and 
the classical communication through the same fiber on different wavelengths. A 
QKD system with a double Mach-Zehnder interferometer was realized also in Los 
Alamos National Laboratory (Hughes et al. [1996], Hughes et al. [2000b]). They 
tested it in an installed optical fiber up to a distance of 48 km. Another fiber-based 
system (at 830 nm) was realized by Dusck et al. [1999b]. It had implemented an 
active stabilization of interferometers and programmed all supporting procedures 
for practical QKD. The system was used as a quantum identification system (for 
mutual identification of the users) at a distance of 500 m. The system with silica- 
based integrated-optic interferometers was built by Kimura et al. [2004] and tested 
at a distance over 150 km. Toshiba Research Europe developed an automated 
system at 1550 nm with a new method for active interferometer stabilization (a 
"stabilization" pulse goes after each signal pulse) and tested it at the distances up 
to 122km (Gobby et al. [2004], Yuan and Shields [2005]). 

The systems using either the polarization encoding or double Mach-Zehnder in- 
terferometer require an active stabilization to compensate drifts and fluctuations 
of polarizations and/or phases. Mullcr et al. [1997] has proposed an interesting 
way how to implement QKD device (using a phase encoding) where all optical and 
mechanical fluctuations are automatically passively compensated (the principle of 
this auto-compensation is based on an earlier idea of Martinelli [1989]). Two strong 
mutually delayed pulses of orthogonal linear polarizations go from Bob to Alice. 
At Alice's side they are attenuated (a part of them is also used to synchronization 
purposes), the first pulse is phase shifted (this is the way Alice encodes the infor- 
mation), and both pulses are reflected on a Faraday mirror. The Faraday mirror, 



9 If the pulse width is in the order of nanoseconds then the path lengths difference is usually a 
few meters. 



22 



FULL 



which is a Faraday rotator followed by a mirror, exchanges their vertical and hori- 
zontal polarization components. Then these two dim pulses return to Bob. Because 
they go back through the same line but have properly modified polarizations by the 
Faraday mirror, all the polarization distortions caused by birefrigence experienced 
by the pulses in their first trip are compensated during the return trip. At the end 
the sent vertical polarization returns as horizontal one and vice versa. At Bob's 
side the first pulse passes a longer arm of an unbalanced Mach-Zehnder interferom- 
eter while the second pulse passes its shorter arm (the pulses are separated by a 
polarization beam splitter and then their polarizations are made the same) . In one 
of the arms Bob now applies his phase shift. Because the original delay between 
the pulses was created by the same unbalanced interferometer no stabilization of 
this interferometer is needed. Since no special optical adjustment is necessary to 
operate this set-up it is usually called "plug&play" system. However, there are also 
some drawbacks: The fact that pulses must go first from Bob to Alice and then 
back complicates the timing of the whole process and may effectively decrease the 
transmission rate. The problem is, especially, with a Raylcigh backscattering. To 
suppress its contribution to error rate the strong pulses coming form Bob should 
not meet with the weak pulses propagating in the opposite direction. Further, be- 
cause the strong pulses must pass the whole path from Bob to Alice before they are 
attenuated and the information is encoded, Eve has an opportunity to change some 
of their properties, e.g., their photon statistics. The system is also more sensitive 
to a certain "Trojan horse" attacks (see Section 8.7). 

The first experimental realization was done by Zbinden et al. [1997]. The key was 
exchanged over a 23-km-long optical fiber installed under Lake Geneva. Later the 
fully automated system was tested on the same fiber (Ribordy et al. [2000]). The 
implemented protocol was BB84. The system was operated at 1300 nm. A similar 
auto-compensating system operating at 1300 nm was also independently developed 
at IBM (Bethune and Risk [2000]). It was tested on a 10- km- long fiber in a spool. 
In this set-up the pulses sent by Bob had a reduced intensity to avoid Raylcigh 
backscattering. Synchronization was provided by classical pulses at 1550 nm using 
a wavelength-division multiplex. Nielsen et al. [2001] built a system working at 
1310 nm and distributed a key over 20 km in fiber. Group of A. Karlsson demon- 
strated that the plug&play technique can be implemented in fibers also at 1550 nm 
(Bourennane et al. [1999]). Later the operation of an improved Geneva plug&play 
setup at 1550 nm was demonstrated over a 67-km-long optical-fiber link between 
Geneva and Lausanne (Stucki et al. [2002]). 

The first experimental demonstration of the decoy-state method (see Section 3.5) 
was done by Zhao et al. [2005]. Their set-up used a modified commercial QKD 
"plug&play" system manufactured by id Quantique. The distribution was tested 
over the distance of 15 km. The protocol was based on the BB84 scheme together 
with a practical implementation of the decoy-state method with only one decoy 
state. The average intensities of the signal and decoy states were chosen to be 0.8 
and 0.12 photons, respectively. Roughly 88% of signal states and 12% of decoy 
states were transmitted. 

Gisin et al. [2004] proposed a new technique for practical QKD, based on a 
specific protocol and tailored for an implementation with weak laser pulses. The key 
is obtained by a simple measurement of the times of arrival of the pulses incoming 
to Bob. The presence of an eavesdropper is checked by an interferometer built on an 
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additional monitoring line. Each logical bit is encoded into a sequence of two pulses: 
either one empty and one non-empty or vice versa. There is a phase coherence 
between any two non-empty pulses because a mode-locked laser is used as a source. 
Some pulses are reflected at Bobs beam-splitter and go to the unbalanced Mach- 
Zehnder interferometer (monitoring line). Here is where quantum coherence plays 
a role. If coherence is not broken, only the detector at the particular output of the 
interferometer may fire at certain instants. This enables to detect an eavesdropping. 
The first experimental realization of this protocol was done by Stucki et al. [2005] . 

4.2. ENTANGLEMENT-BASED PROTOCOLS 

The principle of entanglement-based protocols was explained in Section 3.6. In prac- 
tical realizations only the entangled states of photons are used. However, different 
kinds of entanglement can be employed: For example, entanglement in polarizations 
of photons, entanglement in energy and time, entanglement in orbital angular mo- 
mentum, or so called "time-bin" entanglement which is a special case of energy-time 
entanglement. Experiments with QKD using photon pairs often utilized set-ups 
and took up on experiments examining the violation of Bell's inequalities. Besides 
QKD, the distribution of entanglement between distant users can be beneficial also 
for other task like quantum teleportation, quantum dense coding, quantum secret 
sharing, etc. However, there is a problem of coupling between the property used 
to encode the qubits and the other properties of the carrier electromagnetic field, 
that rises during the propagation in a dispersive medium. This form of decoher- 
ence gradually destroys quantum correlations between the photons. 10 For example, 
polarization-mode dispersion makes two values of polarization-encoded qubit distin- 
guishable also in temporal domain and so wipes out quantum correlations between 
polarizations. Similarly, chromatic dispersion degrades energy-time entanglement. 

4.2.1. Polarization entanglement 

In this case Alice and Bob are each provided by one photon of an entangled pair of 
one of these forms: 

-±= (\V)a\V)b ± \H)a\H) b ) , -L (\V) A \H) B ± \H) A \V) B ) , (4.1) 

where \V), \H) denotes single-photon states with vertical and horizontal linear po- 
larizations, respectively. The pairs are prepared by a parametric down-conversion 
process in nonlinear optical crystals. Polarization entanglement is created either 
by one crystal using the phase matching of type-II (in a proper geometrical lay- 
out) or by two crystals with type-I phase matching that are placed closely one by 
one but with optic axes oriented perpendicularly to each other. Alice and Bob are 
equipped with polarization analyzers that can rapidly change measurement polar- 
ization bases, e.g., electro-optical polarization modulators followed by polarizing 
beam splitters (with photon counters behind them). 

The first two experiments were reported in 2000. Zcilinger's group (Jennewein et 
al. [2000]) used a BBO 11 crystal, cut for type-II phase matching and pumped by 

10 This effect has also a positive aspect: It prevents unintentional information leakage in unused 
degrees of freedom (Mayers and Yao [1998]). 
11 /3-BaB 2 4 . 
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an argon-ion laser, to generate photon pairs at 702 nm (both photons had the same 
wavelength). Their analyzers consisted of fast modulators, polarizing beam split- 
ters, and silicon avalanche photodiode (APD) detectors. They have demonstrated 
QKD over 360 m in installed single- mode fibers. Kwiat's group in Los Alamos (Naik 
et al. [2000]) worked with two BBO crystals of type-I phase matching pumped by an 
argon-ion laser and they also produced photon pairs with degenerate wavelengths at 
702 nm. They implemented original Ekert protocol and have demonstrated QKD in 
free space at the distance of a few meters. In addition, they simulated experimen- 
tally different eavesdropping strategies. A newer experiment was done by Poppe et 
al. [2004] in Vienna. Secret key was distributed over 1.45-km-long installed fiber 
(between a bank and the City Hall). Polarization-entangled pairs at 810 nm were 
produced by type-II parametric down conversion in a BBO crystal pumped by a 
semiconductor laser. The distribution of entanglement over 13 km in free space was 
demonstrated by Peng et al. [2004] . It was use both to prove a space- like separated 
violation of Bell's inequality and to realize QKD based BB84-like protocol. It uti- 
lized type-II parametric down-conversion in BBO crystal pumped by an argon-ion 
laser. Wavelengths of entangled photons were 702 nm. 

4.2.2. Energy-time entanglement, phase encoding 

Now the employed two-photon entangled states have the approximate form: 



where \u>) denotes a single-photon state at frequency u>, luq is an optical frequency 
of the pump laser, and expresses the distribution of individual frequency com- 
ponents. The pairs are again produced by parametric down conversion in nonlinear 
optical crystals. Photons in states close to that given by Eq. (4.2) - neglecting 
vacuum and multi-pair contributions - are generated when the crystal is pumped 
by a laser with a large coherence time. Alice and Bob obtain one photon each and 
they let them pass through identically unbalanced Mach-Zchnder interferometers 
(one interferometer at Bob's side, one at Alice's side). The path lengths difference 
between the longer and shorter arm of each interferometer must be larger than the 
coherence length of generated photons but shorter then the coherence length of 
the pump laser. The path differences must be the same for both interferometers. 
The instants of detections of two photons from a pair are very tightly correlated 
(of the order of hundreds of femtoseconds) but the particular times of these co- 
incident detections are uncertain and random. Therefore Alice and Bob cannot 
distinguish between the situations when both photons went through longer arms 
of their interferometers and when both of them went through shorter arms (this 
leads to the fourth-order interference). Alice and Bob chooses their measurement 
bases by changing the phase shifts between the arms of their interferometers (e.g., 
they can randomly and independently alternate shifts 0° and 90°). When their 
phase difference is 0°, the measurement outcomes are deterministic. When the 
phase difference is ±90°, the results are random. Events when one photon went 
through a shorter arm and the other one through a longer arm, are ignored. This 
arrangement was originally devised by Franson [1989] for another purposes. Its use 
for practical QKD in fibers was proposed by Ekert et al. [1992]. The set-up can be 
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Laser 




Figure 3: Schematic setup for QKD using time-bin entanglement. 

further modified to be operated completely in a passive way (Rarity et al. [1994]) 
- see Section 3.6.3. 

This QKD scheme was first realized by Ribordy et al. [2001] from the Univer- 
sity of Geneva. They used a KNbC>3 crystal pumped by a doubled Nd-YAG laser 
to create entangled pairs with asymmetric wavelengths 810 nm and 1550 nm. The 
wavelength 810 nm gave an advantage to use efficient and low-noise Si-APD photon 
counters at Alice's side (the distance between the source and Alice's analyzer was 
very short). The wavelength 1550 nm of the other photon fit to low-loss window of 
optical fibers, so this photon travelled the longer distance between the source and 
Bob. Bob was connected to the source by 8.5-km-long optical fiber in a spool (the 
dispersion-shifted fiber was used to limit the decoherence induced by chromatic 
dispersion). It should be noted that the passive set-up was implemented. Two 
measurement bases (at each terminal) were passively randomly selected using a po- 
larizing beam splitter. One physical interferometer behaved like two interferometers 
with different phase settings for two different polarizations of light. 

4.2.3. Time-bin entanglement, phase-time encoding 

This method is similar to the phase encoding described above. But now there is 
one more unbalanced Mach-Zehnder interferometer placed in the pump beam and 
a pulsed source is used to pump the crystal. The scheme of the apparatus is shown 
in Fig. 3. The generated pair can be described by the following state: 



with S and L denoting contributions from pump pulses going through a shorter 
and longer arm of the interferometer, respectively. The path differences of all three 
interferometers should be the same. Now Alice can detect a photon in three different 
time windows (after each laser pulse): The first corresponds to the situation when 
both the pump pulse and Alice's photon went through the shorter arms (SS), the 
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second corresponds to the combination of the shorter and the longer arm or vice 
versa (SL or LS), and the third corresponds to the situation when both the pump 
pulse and Alice's photon went through the longer arms (LL). The same holds for 
Bob's detections. To establish the secret key Alice and Bob publicly agree on the 
events when both of them detected a photon (does not matter at which detector) 
either in the first or in the third time window, but do not reveal in which one, and 
on the events when they both registered detector clicks in the second time window, 
without revealing at which detector. In the first case they assign different bit values 
to the first and third time window (Alice and Bob must have correlated detection 
times). The second case (both photons detected in the second time window) is 
formally equivalent to the above described phase-encoding method. 

This technique was proposed by Brendel et al. [1999] (who have also built the 
source of pairs) and the QKD experiment was performed by Tittcl et al. [2000]. 
The system was tested only in the laboratory. The crystal KNbC>3 was pumped by a 
pulsed semiconductor laser diode. The wavelength of down-converted photons was 
I3I0nm. Later, the distribution of time-bin entangled qubits was demonstrated 
over 50 km of optical fiber (Marcikic et al. [2004]). 

§ 5. Technology 

5.1. LIGHT SOURCES 
5.1.1. Attenuated lasers 

In practical QKD systems the attenuated lasers are still the only reasonable light 
sources (except systems using entangled pairs). The radiation from a laser can 
be usually well described by a single-mode coherent state exhibiting Poissonian 
photon- number distribution (with \i being a mean photon number): 

n 

P(n) = £j-e-". (5.1) 

Clearly, a highly attenuated laser pulse with very small fx represents a good ap- 
proximation of a single-photon Fock state (or rather a superposition of states |0) 
and |1)) because the ratio p m uiti/p(l) of the probability of more than one photon, 
Pmuiti = Sn=2P( n )> an d a single-photon probability, p(l), goes to as \x — > 0. The 
only problem is the increasing fraction of vacuum states (n = 0). For example, if 
jU = 0.1 then p(0) = 0.905, p(l) = 0.090, and p mu iti = 0.005. Empty pulses decrease 
transmission rate. A more important problem arises from detector dark counts. Be- 
cause detectors must be active for all pulses including empty ones the dark-count 
rate is constant while the rate of non-empty pulses decreases with decreasing fj,. 
This prevents the use of arbitrarily low mean photon numbers. 

The mean photon number must be chosen according to several aspects. The 
existence of detector dark counts and the losses in the system admonish us to use 
the mean photon number as high as possible. On the other hand the potential 
leakage of information trough the multi-photon pulses forces us to use the mean 
photon number as low as possible. The optimal mean photon number is such 
that maximizes the secure-key rate for given conditions. It results from the trade- 
off between the value of the detection rate and the shortening of the key due to 
privacy amplification (because of multi-photon contributions, privacy amplification 
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shortens the resulting distilled key substantially if fj, is too high, namely if > 77 
where 77 is the line transmittance; Lutkenhaus [2000]). 

A good measure of the quality of imperfect single-photon sources is the second- 
order autocorrelation function of the source, g 2 = {I 2 )/{I} 2 , i-e., the correla- 
tion measured in a Hanbury-Brown-Twiss-type experiment (I means optical inten- 
sity). It can be approximately calculated as g 2 ~ 2p(2)/[p(l)] 2 if p(l) » p(2) » 
J2^=3P( n )- The value g 2 = 1 corresponds to Poissonian case, g 2 < 1 indicates 
sub-Poissonian distribution. 

5.1.2. Single-photon sources: Parametric down conversion 

Another way how to prepare quasi-single-photon states is to use photon pairs gen- 
erated by spontaneous parametric down conversion (SPDC) (Hong and Mandel 
[1986]). Here the crucial point is a tight time correlation between photons in the 
pair. In the ideal case, if one places a photon-number detector into the path of 
one member of the pair (say, into the idler beam) and detects one photon then 
in the same time (i.e., in a very short time window of the order of hundreds of 
femtoseconds) there must be one photon also in the other - signal - beam. 

In reality, due to losses in the signal beam, caused mainly by an inefficient cou- 
pling into the fiber, and partly also due to dark counts of the trigger detector, 
there may be no photon in the signal beam even if the trigger detector has clicked. 
However, the probability of this event is relatively low - today typically about 30 %. 

Nearly all practically applicable detectors cannot distinguish the number of pho- 
tons and their quantum efficiency is substantially lower than 100%. Therefore, 
there is also non-zero probability having more than one photon in the signal beam 
after the trigger detection. (Notice that the number of photons in one mode is 
thermally distributed and the total number in all modes obeys the Poissonian dis- 
tribution.) On the other hand, the efficiency of the conversion of a pump photon 
into the pair of sub- frequency photons is very low, typically about 10~ 10 , so the 
probability of generation of multi-photon states is also low. 12 Besides, there are 
techniques that allow us to eliminate partly multi-photon states. They are based 
on the division of the idler beam, used for triggering, into several detectors. Events 
with more than one detector clicks are discarded. This spatial division can be sub- 
stituted by time division using one detector behind a delay loop (Rehacek et al. 
[2003]). 

The important advantage of a SPDC quasi-single-photon source in comparison 
with an attenuated laser is a substantial reduction of the portion of vacuum con- 
tributions, i.e., empty signals. 

From the technological point of view these sources seem feasible. Diode-laser 
pumped SPDC sources emitting in near-infrared region can be made compact and 
robust (Volz et al. [2001]). 

5.1.3. Single-photon sources: Color centers 

A progressive direction in the research of single-photon sources is represented by 
color centers in diamond. Color centers are defects in a crystal lattice due to im- 

12 Take a source that generates 10 5 pairs per second in average and consider a 1 ns detection 
window, then this probability is about 10~ 4 . 
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purities and vacancies. Crystals with such defects can be relatively easily prepared 
and are stable. The key advantage of the sources based on color centers is that 
they work at room temperatures. 

Particularly, nitrogen- vacancy centers in synthetic diamond were intensively stud- 
ied (Kurtsicfer et al. [2000], Brouri et al. [2000], Beveratos et al. [2001]). These 
centers consist of a substitutional nitrogen atom and a vacancy at an adjacent 
lattice position. The individual nitrogen atom is excited by a focused laser beam 
at 532 nm. Due to the fluorescence the atom consequently emits a photon with 
the spectrum centered around 690 nm. The strong anti-bunching is observed. The 
weaker point is a broad spectrum of the generated pulses (nearly 100 nm). Optical 
properties of the transmission medium (absorption, refractive index, etc.) change 
over such a large interval of wavelengths. However, recently a new kind of crystal 
defect was found that can emit photons at 802 nm with the spectral width only 
about 1 nm (at room temperature) . This color center consists of a nickel ion sur- 
rounded by four nitrogen atoms in a genuine diamond (Gaebel et al. [2004]). 

The main problem of single-photon sources based on color centers is a rather low 
collection efficiency - currently just about 0.1% for bulk crystals. The situation 
is slightly better for diamond nano crystals 13 - currently over 2 % (Beveratos et al. 
[2002]). The way how to increase the collection efficiency is to put the crystal into 
an optical cavity that suppresses the emission to all other spatial modes except the 
preferred one. 

There are already first experiments with quantum cryptography using single pho- 
ton sources based on nitrogen- vacancy centers (Beveratos et al. [2002], Alleaume 
et al. [2004]). The QKD was demonstrated in free space at a distance of 50 m. 

5.1.4. Single-photon sources: Quantum dots 

Quantum dots are semiconductor nanostructures ("artificial atoms") (Santori et 
al. [2001], Moreau et al. [2001], Zwiller et al. [2001], Hours et al. [2003], Baier 
et al. [2004]). By a suitable preparation a two- or more-level electronic system 
can be obtained. Photon emission comes from recombination of an electron-hole 
pair. Electron-hole pairs can be created either by optical pumping by a pulsed 
or continuous- wave laser or by an electric current (Yuan et al. [2002]). Various 
techniques of preparation of quantum-dots exist. The usual materials are, e.g., 
GaAs, GaAlAs, or InP. 

The wavelength of emitted light is determined mainly by the material used. 
Sources operating at telecom wavelengths are possible (Takemoto et al. [2004]). 
The spectral width of a generated pulse depends on the number of excited energy 
levels and the average number of created electron-hole pairs. 

The main practical drawback of quantum-dot photon sources is the need of cool- 
ing to the liquid-helium temperature. The latest research promises shift to tem- 
peratures about 100 K (Mirin [2004]). But the photon- number distribution of such 
"high-temperature" sources is worse. The other problem is very low collection effi- 
ciency (usually from 10~ 4 to 10~ 3 ). This means that the probability of obtaining 
an empty pulse is rather high. The efficiency can be increased (up to about 10 _1 ) 



13 Thc subwavelcngth size of nanocrystals suppresses problems with the high refraction at the 
sample interface. 



5. TECHNOLOGY 



29 



by placing the quantum dot into an integrated solid-state microcavity (Gerard et 
at. [1998]). 

The first demonstration of QKD using a quantum-dot single-photon gun was 
done by Waks et al. [2002] . It operated in free space to a symbolic distance of one 
meter. 

5.1.5. Single-photon sources: Single atoms and molecules 

Another alternative how to generate single-photon-like states is to make use of 
radiative transitions between electronic levels of a single atom (ion) or molecule. 

Single ions caught in a trap and placed inside (or sent into) an optical cavity where 
they interact both with the excitation laser beam and the vacuum field of the cavity 
(Kuhn et al. [2002], Keller et al. [2004]) could represent single-photon sources with 
good properties (with, e.g., a narrow spectrum and high collection efficiency due 
to the presence of the cavity) . But practical feasibility of such sources is still low 
because of their technological complexity (among others, high vacuum is needed). 

Experiments with single organic-dye molecules are simpler because the molecules 
are usually caught in a polymer matrix (Brunei et al. [1999], Fleury et al. [2000], 
Treussart et al. [2002]) or put in a solvent (Kitson et al. [1998]) and the source is 
operated in usual environmental conditions and room temperatures. The photon 
statistics of generated states is reported to be good. The advantage is also a large 
scope of wavelengths that can be generated. But the critical problem is a limited 
stability of the molecules. Due to the photobleaching even the most stable dyes 
survive just a few hours of continuous excitation. 

5.1.6. Entanglement source: Spontaneous parametric down conversion 

By spontaneous parametric down conversion (SPDC) one can prepare photons en- 
tangled in energies (wavelengths), momenta (directions), and/or polarizations. Any 
of these features can be used for the purposes of QKD based on Ekert-type protocols 
(see Section 3.6). 

In SPDC process one photon from a pump laser is converted, with a certain 
(small) probability, into two sub-frequency photons. The total energy and mo- 
mentum are conserved thereat. Since no couple of possible frequencies and wave 
vectors of two generated photons is preferred the resulting quantum state is given 
as a superposition of all allowed cases - it is an entangled state. 

SPDC occurs in non-linear optical media. E.g., in crystals KNb03, LIIO3, 
LiNb03, /3-BaB 2 04, etc. Very perspective SPDC sources are periodically poled 
non- linear materials, namely waveguides in periodically poled lithium niobate (Tanzilli 
et al. [2001]). 

5.2. DETECTORS 

5.2.1. Avalanche photodiodes 

The most widely used detectors in QKD systems with discrete variables arc un- 
doubtedly avalanche photodiodes (APD) . In APD a single photoelectron generated 
by an impinging photon is multiplied by a collision ionization. This is because APD 
single-photon detectors are operated in a so-called Geiger mode: On the junction a 
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reverse voltage is applied that exceeds the breakdown voltage. Thus the impinging 
photon triggers an avalanche of thousands of carriers. To reset the detector the 
avalanche must be quenched. It could be done by a passive or active way. In the 
passive quenching a large resistor is placed in the detector circuit. It causes the 
decrease of voltage on APD after the avalanche starts, in the case of the active 
quenching the bias voltage is lowered by an active control circuit. This solution 
is faster so that higher repetition rates can be reached (up to 10 MHz). Another 
possibility is to work in a so-called gated mode when the bias voltage is increased 
above the breakdown voltage only for a short, well defined period of time. 

To detect photons at specific wavelengths different materials of detector chips 
are needed. For the visible and near infrared region (up to 1.1 /zm) the silicon APD 
can be used. Nowadays they are well elaborated. Compact counting modules with 
integrated Peltier cooling and active quenching are commercially available that offer 
low dark-count rates (below 50 per second) high quantum efficiencies (up to about 
70%) and maximum count rates reaching 10 MHz. Cooling to temperatures of 
about — 20° C is necessary to keep the numbers of dark counts induced by thermal 
noise in a reasonable range. Note that the dark counts, i.e., events when the detector 
sends an impulse even if no photon has entered it, represent an important factor 
limiting the operation range of QKD (see Section 6). 

For telecom wavelengths, 1300 nm and 1550 nm, used in fiber communications, 
the silicon detectors cannot be applied. For 1300 nm germanium and InGaAs/InP 
detectors can be used. Germanium detectors require cooling to liquid nitrogen 
temperatures (77 K). Typical quantum efficiencies are about 15 %, dark-count rates 
about 25 • 10 3 pulses per second (at 77 K). For 1550 nm even germanium detectors 
cannot be used any more and currently the only generally available detectors for 
this wavelength window are based on InGaAs (on InP substrate). These detectors 
are now in common use for both telecom wavelengths. InGaAs detectors must also 
be cooled to low temperatures. In practice it can be done either by three-stage 
Peltier thermoelectric coolers (down to about — 60 °C, i.e., 213 K) or by compact 
Stirling engines (down to about — 100 °C, i.e., 173 K). Today's typical performance 
of InGaAs APD at 1550 nm with a Peltier cooler is as follows: Quantum efficiency 
about 5-10%, dark-count rate (in gated mode) about 10 4 s _1 , maximal repetition 
frequency about 100kHz-l MHz (i.e., dead time about 1-10 /xs). And with a Stirling 
cooler (— 100°C): Quantum efficiency above 10%, hundreds dark counts per second 
(in gated mode), and maximal repetition frequency about 100 kHz -1 MHz. It turns 
out that the dark-count rate increases with increasing detection efficiency. It is 
always necessary to find a tradeoff between these quantities. As the number of dark 
counts increases with temperature, better overall performance can be achieved at 
lower temperatures. Also increasing signal repetition frequency leads to the growth 
of the number of dark counts because of the increasing probability of afterpulses. 14 

Let us also mention another effect that can play a negative role in quantum 
cryptography. When the avalanche is quenched all charge carriers recombine. It 
brings the diode into an insulating state again, a full photodetection cycle is finished 
and the diode is ready for the next event. However, some recombinations arc 
radiative - this results in so called backflashes. These dim light pulses propagate 



14 After the avalanche is quenched some charge carriers may stay trapped on impurities. Their 
delayed recombination can lead to so called afterpulses - unwanted output impulses of the detector. 
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back to the communication channel and they could reveal the information on Bob's 
basis setting to an adversary. That is, they represent a serious side channel and 
must be carefully eliminated (blocked) by proper filters (Kurtsiefer et al. [2001]). 

An interesting possibility to improve the performance of QKD with APD detec- 
tors at telecom wavelengths could be the combination of parametric frequency up- 
conversion with efficient silicon APDs, instead of direct use of InGaAs APDs. The 
up-conversion in periodically-poled lithium niobate can be rather efficient whereas 
it introduces only relatively low noise. The overall quantum efficiency in combi- 
nation with a silicon APD detector could then be comparable with the detection 
efficiency of an InGaAs APD while the dark-cont rate would be lower (Diamanti et 
al. [2005]). This fact could enlarge the operation distance of QKD. 

5.2.2. Quantum dot detectors 

A Quantum Dot Resonant Tunnelling Diode is a semiconductor device with a quan- 
tum dot layer encased inside a resonant tunnelling diode structure (Blakesley et al. 
[2005]). In the diode two n-doped GaAs layers are separated by a double-barrier 
insulating AlGaAs layer and followed by a InAs self-assembled quantum dot layer. 
The resonant tunnel current through this double-barrier structure is sensitive to 
the capture of a hole excited by the photon by one of the quantum dots in the 
adjacent dot layer. The capture of a hole by the dot can switch the magnitude of 
the current flowing through the device. 

The maximum detection efficiency measured with the device at 550 nm was 12 %. 
However, the reasonable dark-count rate of 4000 s -1 was achieved with a detection 
efficiency of only 5%. The device was cooled to 77 K. Measured sample could 
detect a new photon every 150 ns. It corresponds to about 6 MHz repetition rate 
(Blakesley et al. [2005]). But it is mainly limited by external electronics and the 
improvement to about 100 MHz is expected in a near future. 

Note that the detector manufactured from GaAs cannot be used in the region of 
telecom wavelengths. Detectors for these wavelengths have to be built from other 
materials like InP. 

5.2.3. Visible Light Photon Counters 

Visible Light Photon Counters (VLPC) are semiconductor detectors consisting of 
two main layers, an intrinsic silicon layer and a lightly doped arsenic gain layer 
(Waks et al. [2003], Kim et al. [1999]). When a single photon is absorbed a single 
electron-hole pair is created. Due to a small bias voltage applied across the device, 
the electron is accelerated towards the transparent contact on one side while the 
hole is accelerated towards the gain region at the opposite side. Donor electrons in 
this region are effectively frozen out in impurity states because the device is cooled 
to an operation temperature of about 6K. However, when a hole is accelerated 
into the gain region it easily kicks the donor electrons into the conduction band 
by impact ionization. Scattered electrons can create subsequent impact ionization 
events resulting in avalanche multiplication. 

When a photon is detected, a dead spot of several microns in diameter is formed 
on the detector surface, leaving the rest of the detector available for subsequent 
detection events. If more than one photon is incident on the detector, it will be able 
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to detect all the photons as long as the probability that multiple photons land on 
the same location is small. Therefore these detectors could perform efficient photon 
number state detection (photon number count). However, in practice they can well 
discriminate only between zero, one and more photons because of multiplication 
noise. 

Quantum efficiency of VLPC is about 90 % and dark-count rate about 2 • 10 4 s _1 
at 543 nm (at 6K). 



5.2.4. Superconducting detectors 

To detect single photons physical processes in superconductors can also be em- 
ployed. A few different principles have been proposed that are now experimentally 
tested. All these detectors require cryogenic environment. The first kind of detec- 
tor, usually called Superconducting Single Photon Detector, consists of thin strips 
of superconducting material, as niobium nitrate, interconnected to form a mean- 
der shaped "wire" (Verevkin et al. [2002]). In this "wire" the current bias below 
the critical current of the material is maintained. An impinging photon breaks a 
Cooper pair and generates a hotspot that forms a resistive potential. The width 
of the strips is designed in such a way that the current forced around the hotspot 
exceeds the critical current. This results in the increase of resistance and a voltage 
signal indicating the detection of photon. The recent measurements show that at 
1300-1550 nm the samples have quantum efficiency up to 10%, dark-count rate 
about 0.01 s -1 and counting rate over 2 GHz (Verevkin et al. [2004]). The mea- 
surements were done at temperature 2.5 K (liquid helium). 

Another type of superconducting detector is a Transition Edge Sensor (Miller et 
al. [2003]). These sensors consist of superconducting thin films electrically biased 
in the resistive transition. Their sensitivity is a result of the strong dependence 
of resistance on temperature in the transition and the low specific heat and ther- 
mal conductivity of materials at typical operating temperatures near 100 mK. The 
device produces an electrical signal proportional to the heat produced by the ab- 
sorption of a photon. These detectors can even determine the number of impinging 
photons, i.e., they can perform a photon count. Observed efficiency at temperature 
125 mK is about 20%, dark-count rate about 0.001 s" 1 (Miller et al. [2003]). The 
newest results show even a better performance with a quantum efficiency over 80 % 
at 1550 nm (Rosenberg et al. [2005]). Unfortunately, these detectors are very slow 
(dead time is about 15 /zs) because it is necessary to remove the heat deposited by 
each photon (Miller et al. [2003]). 

Next possibility is a Superconducting Tunnel Junction Detector (Fraser et al. 
[2003]). It consists of two superconducting electrodes separated by an insulating 
layer forming together a Josephson junction. To suppress the tunnelling current 
through the junction, a magnetic field parallel to the electrodes (parallel to the 
tunnel barrier) is applied. Incident photons break Cooper pairs. It changes the 
tunnelling rate according to the absorbed energy. The operating temperature is of 
the order of hundreds of milikelvins. These detectors are able to register photons 
from infrared to ultraviolet region. 
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5.3. QUANTUM CHANNELS 

5.3.1. Fibers 

The most promising channels for terrestrial QKD are undoubtedly single-mode op- 
tical fibers. The lowest attenuations of standard telecom fibers are at 1300 nm 
(about 0.35dB/km) and at 1550nm (about 0.2dB/km). Unfortunately, for these 
wavelengths standard silicon-based semiconductor photodetectors cannot be used. 
In principle, it is possible to use special fibers and work around 800 nm, where the 
efficient detectors are available. But the attenuation of fibers at these wavelengths 
is relatively high, about 2 dB /km, and such fibers are not used in an existing infras- 
tructure. Therefore, the attention is paid to standard telecom fibers and there is 
an effort to develop low-noise and efficient detectors for wavelengths 1300 nm and 
1550 nm. 

The losses in fibers represent one of the two main factors (see Section 6) limiting 
the operation range of QKD systems (notice that attenuation 0.20dB/km means 
99% loss after 100 km). Other problems are the strong temperature dependence of 
some optical properties of fibers, the disturbance of polarization states of light in 
fibers due to the geometrical phase and the birefringence, and the dispersion. 

The distortion of polarization is a crucial obstacle for the use of any kind of 
polarization encoding of information. Therefore in fiber-based QKD systems phase- 
encoding schemes are usually employed. However, even in such a case the output 
polarization state must be under control. Fortunately, if the fiber is fixed the 
polarization properties are relatively stable. 

Dispersion affects the temporal width of the broad-spectrum light pulses. There- 
fore the sources generating broad-band signals are not well suitable for fiber QKD. 
Nevertheless, there is still a possibility to work near the wavelength of 1310 nm 
where the silica fibers have zero chromatic dispersion or to use fibers with special 
refractive-index profile which have zero dispersion shifted near 1550 nm. 

5.3.2. Free space 

Quantum key distribution can also be accomplished through free space. The ad- 
vantage of this approach is that the atmosphere has very low absorption around 
the wavelengths 770 nm and 860 nm where relatively efficient and low-noise silicon 
semiconductor detectors can be used. Besides, no optical cables have to be in- 
stalled. Also, the atmosphere is not bircfringent at these wavelengths and is only 
weakly dispersive. The disadvantage is that the free-space communication can be 
used only in the line-of-sight distances, no obstacle may be between communicating 
parties. There are also other drawbacks: The performance is highly dependent on 
the weather, pollution and other atmospheric conditions. There are huge differ- 
ences in attenuation for different kinds of weather. For instance, for wavelengths 
near 860 nm the attenuation of clear air can be below 0.2dB/km, in the case of 
moderate rain it is about 2 - lOdB/km, and in heavy mist it can exceed 20dB/km. 
Further, up to altitudes about 15-20 km there are considerable atmospheric turbu- 
lences. The problem is also a spurious influence of the background light, especially 
the ambient daylight. Another issue is the beam divergence. Due to diffraction the 
diameter of the beam can be considerably enlarged in large distances. This effect 
can cause additional loss if only a part of the beam is captured by the receiver. 
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§ 6. Limitations 

There are two main technological obstacles that inhibit the wide spread of quantum 
key distribution yet: limited operational range and low transmission rates. 

6.1. TRANSMISSION RATE 

The key factor limiting the raw- key rate is the detector's dcadtime (i.e., recovery 
time of the detector), in the case of avalanche photodiodcs (APD) immediately 
after the detection event the detector is not ready for other detection. First of 
all, the avalanche of charge carriers must be quenched. However, there is also a 
problem with the so called afterpulses - clicks of detector caused by spontaneous 
transitions from long-living traps (levels in a forbidden band) populated by the 
preceding avalanche. It is necessary to wait until the carriers leave the detection 
(depleted) region. Typical APD dead time is from about hundred nanoseconds to 
a microsecond. 

The next factor decreasing transmission rate appears if an attenuated laser is used 
as a source for QKD. Due to security requirements (suppression of multi-photon 
pulses) the mean photon number per pulse must be fairly below one, although this 
leads to a high vacuum fraction of signals. 

Of course, the crucial decrease of transmission rate is due to losses in the channel. 

The rate of distilled key is further decreased by error-correction and privacy- 
amplification procedures. The higher the error rate, the shorter is the distilled key 
that is obtained from the same amount of raw key. 

6.2. LIMIT ON THE DISTANCE 

The maximal distance over which secure QKD can be established decreases with 
increasing losses and increasing detector noise. The detector dark-count rate is 
constant (for a given detector and settings). But the key-rate decreases with in- 
creasing distance due to cumulative losses. So the relative number of erroneous bits 
caused by dark counts grows as long as it is so high that secure QKD is impossible. 
Standard amplifiers cannot be used as they would affect the states of photons in a 
similar manner as eavesdropping. Present-day technology allows secure operation 
up to about 100 km. 

6.3. QUANTUM REPEATERS 

The use of entangled pairs for QKD (see Section 3.6) offers an important advantage. 
It enables to extend the radius of secure communication to practically arbitrary dis- 
tance (at least in theory). This can be reached by quantum repeaters (Dur et al. 
[1999]). They can do "distributed error correction" without revealing any informa- 
tion on the key. The communication channel is divided into shorter segments each 
containing a source of entangled pairs. At the ends of each segment a distillation 
of entanglement (Bennett et al. [1996a]) is performed. It produces a smaller num- 
ber of "repaired" highly entangled pairs from an originally higher number of pairs 
damaged during transmission. Individual segments are "connected" by means of 
an entanglement swapping method (Bennett et al. [1993], Zukowski et al. [1993]). 
So finally Alice and Bob possess highly entangled pairs. 
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§ 7. Supporting procedures 

7.1. ESTIMATION OF LEAKED INFORMATION 

Real devices like polarizers, fibers, detectors, etc. are never perfect and noiseless. 
Therefore we always have to tolerate a certain amount of errors. However, we 
cannot be sure that these errors do not stem from Eve's activity (Eve could, e.g., 
replace some noisy part of the system by better - less noisy - one) so we have to 
attribute all errors to Eve. Fortunately, from the observed error rate it is possible 
to estimate the information leaked to Eve and then "shorten" the established key 
in such a way that Eve's information on the new, shorter key is arbitrarily small. 

First, Alice and Bob chose randomly a certain number of transmitted bits and 
compare them publicly to estimate the error rate. The higher the number of com- 
pared bits is, the higher is the probability that the actual error probability does not 
exceed the estimated value. Assuming the most general attack allowed by the laws 
of quantum physics one can find the boundary of the amount of information, Eve 
could get on the key, in dependence on the error rate caused by the attack. For the 
simplest intercept-resend attack described before (assuming non-continuous eaves- 
dropping) Eve gets an average information per bit / = 2e, where e is the bit-error 
rate. Of course, this attack is not optimal. The limiting ("worst") values of /(e) 
depend both on the protocol and implementation. These problems will be discussed 
in more detail in Section 8. 

7.2. ERROR CORRECTION FOR CLASSICAL BIT STRINGS 

When Alice and Bob create a sifted key by sorting out signals for which Bob has 
used the "wrong" bases, their key sequences need not be exactly the same. This 
may be caused either by an eavesdropping or by "technological" noise. Therefore, 
Alice and Bob must correct or eliminate the erroneous bits. Here we describe a 
simple error-correction procedure proposed by Bennett et al. [1992a]. 

Alice and Bob first agree on a random permutation of the bit positions in their 
strings to randomize the location of errors. Then they partition the permuted 
strings into blocks of size k such that single blocks are believed to be unlikely to 
contain more than one error (block size is a function of the expected bit-error rate) . 
For each block, Alice and Bob compare the block's parity. Blocks with matching 
parities are tentatively accepted as correct. If parities do not agree, the block is 
subjected to a bisective search, disclosing further parities of sub-blocks, until the 
error is found and corrected. 

To remove errors that remained undetected (e.g., because they occurred in blocks 
or sub-blocks with an even number of errors), the random permutation and block 
parity disclosure is repeated several more times, with increasing block sizes. Once 
Alice and Bob estimate that at most a few errors remain in the data as a whole, they 
change the strategy (at this point, the block parity disclosure approach becomes 
much less efficient because it forces Alice and Bob to reveal at least one parity bit in 
each block). Now they publicly choose random subsets of the bit positions in their 
entire respective data strings and compare the parities. If disagreement is found, 
the bisective search is undertaken, similar to that described above. The procedure 
is repeated several times, each time with a new independent random subset of bit 
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positions, until no errors is left. Alice and Bob are now in possession of a string 
that is almost certainly shared but only partly secret. 

The revealed parity bits represent an additional information leaked to Eve that 
must be taken into account. In order to avoid this leakage of information during 
the reconciliation process either the exchanged parity bits must be one-time-pad 
encrypted or the information that is additionally made available to the eavesdropper 
must be taken into account during the privacy amplification step. 

Other error-correcting (or reconciliation) procedures are described by Brassard 
and Salvail [1993] (among others the procedure that leak a minimum amount of 
information during reconciliation) and by Sugimoto and Yamazaki [2000]. 

Note that the error correction shortens the bit string at least to a fraction 1 — h(e), 
where e is the error rate and h(p) = —p\og 2 (p) — (1 — p) log 2 (l — p) is the Shannon 
entropy. This is the so called Shannon limit. Practical error-correcting procedures 
are less efficient and shorten the bit string even more. 

7.3. PRIVACY AMPLIFICATION FOR CLASSICAL BIT STRINGS 

Let us suppose that both Bob and Eve have already made measurements and they 
have some classical information on the key bits sent by Alice. 15 If Bob has higher 
information on the key sent by Alice than Eve [I(B;A) > I(E; A)] 16 , then Alice 
and Bob can establish a new secret key, such that Eve has negligible information 
on it, using only one-way communication. First, Alice and Bob have to carry 
out an error-correction procedure in order to have the exactly same bit sequences. 
At that point, Alice and Bob posses identical strings, but those strings are not 
completely private. Next, they proceed with the following algorithm, called privacy 
amplification (Bennett et al. [1988], Bennett et al. [1992a], Bennett et al. [1995]). 

Alice, at random, picks N bits, [X\, Y 2 , . . . , -Xjv], from the sifted key and per- 
forms an exclusive OR logic operation on them (XOR; here we will denote it by 
©), which finds their sum modulo 2 (in fact she calculates a parity bit): [X\ © 
X2 © . . . © Xn]- She tells Bob which bits she did the operation on, but does not 
share the result. Bob then carries out the same operation with his bits on the same 
positions: \Y\ © Y 2 © . . . © Y/v] and keeps the result. As we have supposed that 
Alice's and Bob's bit strings are exactly the same (Xi — Y), Bob's result must also 
be the same as Alice's one. 

Bob and Alice next replace each Y-tuple of key bits with the calculated XOR 
value (these values represent a new key). Meanwhile, if Eve, who has many errors 
in her key, tries the same operation, it only compounds her mistakes, thus her 
information decreases. For example, if Eve knows the correct value of each bit with 
a probability p = i(l + e) then she will know the parity bit with the probability 
p' = |(1 + e N ) < p when e < 1. 

To put it in a more formal way, Alice and Bob share an n-bit string S, and 
we suppose that Eve knows at most k bits of S. Alice and Bob wish to compute 
an r-bit key K, where r < n, such that Eve's expected information about K is 

15 If Eve has attacked the transmission using quantum probes she can wait with measurements 
on her probes until Alice and Bob carry out all necessary supporting procedures and she can then 
modify her measurements. The procedures described below arc useful even in such a case. More 
about security issues can be seen in Section 8. 

16 I(X; Y) = H(X) + H(Y) - H(X, Y) with H being the Shannon entropy; see Section 8.2. 
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below some specified bound. To do so, they must choose a compression function 
g : {0,1}" — ► {0, l} r and compute K = g(S). The procedure described above 
is an example of a good compression function. It has been shown by Bennett et 
al. [1995] that if Eve knows k deterministic bits of S, and Alice and Bob choose 
their compression function g at random from the so called universal class of hash 
functions, g : {0, 1}" — > {0, l} r where r = n — k — s for some safety parameter 
s € (0,n — k), then Eve's expected information about K = g(S) is less than or 
equal to 2 _s /ln2 bits. 

It is worth noting that if even a single discrepancy is left between Alice's and 
Bob's data after the error correction procedure, then after privacy amplification 
their final bit strings will be nearly completely uncorrelated. 

7.4. ADVANTAGE DISTILLATION FOR CLASSICAL BIT STRINGS 

Even if the mutual information on the key of Bob and Alice is lower than the 
mutual information of Eve and Alice [I(B; A) < I(E; A)] it may still be possible 
to establish a secret shared key by means of a two-way classical communication 17 
(assuming a noiseless and authenticated classical public channel; Maurer [1993]). 

Alice takes an A-bit block, [X\, X 2 , . . . ,-Xjv], of the sifted-key bits, generates 
a random bit C and makes the following encoding (here © means XOR again; 
note that all bits of the block are XORed with the same bit C): [X\ © C, X 2 © 
C, . . . , Xn © C\. Finally she sends this encoded block to Bob. Bob then computes 
[(Ai © C) © Yi, (X 2 © C) © Y 2 , . . . , (X N © C) © Y N ], where [Y U Y 2 , . . . , Y N ] is his 
block of the sifted-key bits corresponding to Alice's block. Bob accepts only if the 
result consists of the equal bits, i.e. either [0, 0, ... , 0] or [1, 1, . . . , 1]. In this case 
he sets either C = or C = 1, respectively, as an element of his new key [note 
that if Xi = Yi then (X { © C) © Yi = C). If Bob's calculation results in different 
bits Bob rejects the block. 

This procedure is repeated with the other blocks of the sifted key and other 
random bits C. In other words, Alice and Bob make use of a repeat code of length 
N with only two codewords [0, 0, . . . , 0] or [1, 1, . . . , 1]. The sequence of random 
bits C sent by Alice and accepted by Bob represents a new key generated by Alice 
and the sequence of bits C accepted by Bob represents a new key received by Bob. 
In this way, the probability that Bob accepts erroneously bit C sent by Alice goes 
down with increasing N as e^, where e is a bit-error rate in the original sifted 
key. Eve, on her side, has to use a majority vote to guess the bit C . Hence, Bob's 
information on C may be larger than Eve's information even if Bob's information 
on Alice's bits [X\, X 2 , . . . , Xn] is lower than Eve's one. On the new key the error 
correction and privacy amplification may be applied subsequently. 

7.5. AUTHENTICATION OF PUBLIC DISCUSSION 

In practice, the "auxiliary" information transmitted through the open channel dur- 
ing QKD could be modified, as it is difficult to create a physically unjammable 
classical channel. For example, Eve can cut both the quantum and classical chan- 
nels and pretend to be Bob in front of Alice. Therefore the authentication of the 
messages sent over the open channel is necessary (the recipient must be able to 

17 Two-way communication is anyway necessary for basis announcement in BB84. 
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check that the message has come from the "proper" sender and that it has not 
been modified). This procedure requires additional "key" material to be stored 
and transmitted. For quantum cryptography to provide unconditional security, the 
procedure used for authentication of public discussion must also be unconditionally 
secure. Such authentication algorithms exist (Wegman and Carter [1981], Stinson 
[1995]). They are based, e.g., on the so-called orthogonal arrays. The length of the 
authentication password must always be greater than the length of the authenti- 
cated message, but the authentication tag (the additional information sent together 
with the message to verify its origin and integrity) is relatively short. This authen- 
tication tag itself is one-time pad encrypted to avoid leaking information on the 
authentication password to Eve. A small random sequence of the same length as 
the authentication tag, used for its encryption, needs to be renewed after each QKD 
transmission (it may be "refilled" from the established key-string). For example, if 
the cardinality of the set of authenticated messages is (p d — l)/(p — 1), where p is 
a prime and d > 2 an integer, an authentication code can be created with p d keys 
and p authentication tags. The deception probability is then 1/p (Stinson [1995], 
Dusek et al. [1999b]). 

Clearly, the authentication requires Alice and Bob to meet each other at the 
beginning in order to exchange an authentication password and primary one-time- 
pad key for encrypting the authentication tag. After each transmission, this key 
is replaced by a new one, obtained from the transmitted sequence. Therefore, the 
QKD cryptosystem works rather as an "expander" of shared secret information: 
Some initial shared secret string is needed but later it can be arbitrarily expanded. 

§ 8. Security 

It is the goal of QKD to deliver secret keys to the users. It differs from classical key 
distribution schemes as in QKD we can actually prove the security of the final key 
under a very limited number of natural assumptions. These include, for example, 
that an eavesdropper cannot have access to the data inside the devices of Alice and 
Bob. 

In an experimental implementation one cannot demonstrate directly secure quan- 
tum key distribution: security cannot be measured as such. Security is a theoretical 
statement and refers to specific protocols to generate a secret key from the data we 
obtain in an experiment. These protocols depend on observable parameters, such 
as the error rate, the mean photon number of the source and the loss rate of the 
signals. So in an experiment, one verifies the model assumptions of the theoretical 
security analysis and demonstrates that one can operate the device such that the 
observed parameters allow the generation of a secret key following the protocol. It 
is important that the awareness of this point increases. 

Let us have a closer look at the problem of real life implementations of QKD 
schemes (see Section 4) . All devices we are using will be imperfect to some degree. 
Moreover, all quantum channels show imperfections, for example in the form of 
a polarization mode dispersion, dephasing in interferometric schemes, and, domi- 
nantly, loss (Gisin et al. [2002]). Basic QKD protocols test for the presence of an 
eavesdropper by looking for changes in the quantum mechanical signals. As a result 
of imperfections we have to face the situation that Alice and Bob end up with data 
that deviate from the ideal ones. Therefore they would have to abort QKD in an 
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idealized simple protocol that only tests for the presence of an eavesdropper: we 
have to assume the worst-case scenario that the degradation of the data is not due 
to the channel imperfections, but might come from an active eavesdropper. The 
eavesdropper could be correlated with the data of Alice and Bob, thus having some 
information about them. Moreover, in general Alice and Bob do not even share an 
error-free bit-string. 

It turns out that there are ways to create a secret key despite these imperfec- 
tions. For this, Alice and Bob apply some postprocessing procedures by publicly 
communicating over a classical, authenticated channel. Typically, these procedures 
include error correction and privacy amplification (see Section 7). It is important to 
know what key rate can be achieved from the data without compromising security. 
The parameters for the public discussion protocols come from the security proofs. 
In this section we will give some background to security proofs and report on the 
present status for different protocols. 

8.1. ATTACKS ON IDEAL PROTOCOLS 

Before we start to analyze the security of QKD in more detail, let us have a look 
at how Eve could actually perform her eavesdropping activity. From the theory of 
quantum mechanical measurements we know that any eavesdropping can be thought 
of as an interaction between a probe and the signals. Eve can then measure the 
probe to obtain information about the signals. 

We distinguish three main types of eavesdropping attacks: 
Individual Attack: In the individual attack Eve lets each signal interact with a 
separate probe. Eve performs then a measurement on each probe separately 
after the interaction. This type of attack is easy to analyze since it does not 
introduce correlations between the signals 
Collective Attack: The collective attack starts as the individual attack, as each 
signal interacts with its own independent probe. At the measurement stage, 
however, Eve can perform measurements that act on all probes coherently. 
We know from quantum estimation theory that such measurement can in 
some cases give more information about the signals than the individual mea- 
surement. For the analysis it is convenient that also this attack does not 
introduce correlations between the signals. 
Coherent Attack: This is the most general attack which an eavesdropper can 
launch on the quantum signals exchanged between Alice and Bob. Actually, 
one can assume the worst case scenario that Eve has access to all signals at the 
same time. Then the sequence of signals is described by one high-dimensional 
quantum state, on which Eve can perform a measurement via a single probe. 
This type of interaction can introduce any type of correlations, also between 
subsequent signals, as seen by Alice and Bob. 

Further variations of these attacks can be obtained by distinguishing whether Eve 
has to measure her probes before Alice and Bob continue their protocol, e.g. by 
exchanging basis information in the BB84 protocol, or whether she can delay her 
measurement until the very end of the protocol executed by Alice and Bob. 

Note that Eve does not necessarily have to measure the probe to extract infor- 
mation about the key. The secret key will be used to encrypt a secret, or be used 
in a different cryptographic application, which might also use quantum tools. So 
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Eve might use her probes from the QKD protocol to attack the subsequent cryp- 
tographic application. The problem whether we can separate the security analysis 
of the different steps is known as composability. This has been addressed recently 
by Ben-Or et al. [2004] showing that also in the quantum case the generation of 
secret key via QKD can be separated from the use of this key later on. This is 
especially important since part of this secret key will be used to authenticate the 
public channel of subsequent QKD exchanges. 

Another question is that of the assumptions to which extent an eavesdropper 
can exploit imperfections of Alice's and Bob's devices. As an example, consider 
single photon detectors: they are affected by dark counts and have a non-ideal 
detection efficiency (see Section 5.2). In a paranoid picture, we assume that Eve 
can exploit even these imperfections. She might reduce or eliminate dark counts by 
a suitable pulse sequence inserted into the optical fiber leading to Bob's detectors. 
By a change of wavelength, she might increase the detection efficiency. Clearly, a 
precaution against each individual known attempt can be taken, though it will be 
hardly possible to list exhaustively all possible attacks. In a paranoid picture, we 
are on a safe side even if Eve could really do all those things. Actually, it turns out 
that this paranoid picture is extremely helpful to provide actual security proofs. 

On the other hand, we can hope to protect against eavesdropping activities that 
manipulate Bob's detectors. In that case, the secure key rate will increase clearly. 
However, it turns out, that it is technically harder to provide unconditional security 
proofs in this scenario. 

In the history of QKD, the individual attack played a crucial role (Fuchs et 
al. [1997], Ekert et al. [1994], Liitkcnhaus [1996], Slutsky et al. [1998]) since it 
has been easy to analyze in conjunction with the generalized privacy amplification 
method. However, presently the individual attack scenario loses its relevance since 
methods have been developed to prove unconditional security, that is, security 
against coherent attacks. Actually, it is widely believed that for typical protocols 
one needs only to consider collective attacks, though only recently steps have been 
made to prove this (Renner [2005]). 

8.2. SECURE KEY RATES FROM CLASSICAL THREE-PARTY CORRELA- 
TIONS 

A typical, practical QKD protocol consists of two phases: 

Phase I: A physical setup generates quantum mechanical signals. These are dis- 
tributed and subsequently measured. As a result, Alice and Bob hold classical 
data describing their knowledge about the prepared signals and the obtained 
measurement results. 

Phase II: Alice and Bob use their authenticated classical channel to talk about 
their data, for example by sifting their data, performing error correction and 
privacy amplification. 

The important question is, how exactly to convert the data obtained in phase I into 
a secret key in phase II. To understand this process and its limitation, let us have a 
look into the classical world. Also in classical information theory unconditional se- 
curity is being discussed. There the starting point are identically and independently 
distributed random variables with a probability distribution for data of Alice, Bob 
and Eve, P(A, B, E). Once one assumes correlations of a given type, described by 
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P(A, B, E), one can investigate whether public discussion protocols can turn these 
data into a secret key. 

There are two main results in this context. The first one is about a lower bound 
on the achievable rate. This has been given by Csiszar and Korner [1978]. Re- 
member that the Shannon entropy H{A) of a random variable A, which takes 
values a with probability p(a), is defined as H(A) = —YlaeAP( a )^ &2P( a )j an d 
the Shannon entropy of a joint probability distribution is analogously defined as 
H(A,B) = -J2(^ A )P( a ,b)log 2 p(a,b) (Cover and Thomas [1991]). Then the 
Shannon mutual information between two parties holding the random variables 
A and B, respectively, with a joint probability distribution p(a, b) is then given by 

I{A;B) = H{A)+H{B)-H(A,B) . (8.1) 

Then the lower bound for the maximal secure-key rate, R, is given (Csiszar and 
Korner [1978]) by 

R > max (I(A; B) - I {A; E),I(A; B) - I(B; E)) . (8.2) 

This lower bound can be achieved, if positive, in the following way: Alice and Bob 
perform error correction (see Section 7.2) via a one-way method, cither by Alice 
giving error correction information to Bob, or vice versa, depending on whether 
the first or second expression in Eq. (8.2) is bigger. If we encode the error cor- 
rection information with a one-time pad to avoid leakage of additional correlations 
to Eve, then this reduces the effective key rate by the fraction 1 — I{A; B) of the 
original data. In the second step, Alice and Bob perform privacy amplification, 
shortening their key by the fraction I(A;E) or I(B;E), depending on the chosen 
communication direction. In total we find the key rate given on the right hand side 
of Eq. (8.2). 18 

Surprisingly often, we find that this classical lower bound is also cited and used in 
a QKD scenario, where an optimization over individual attacks is performed to give 
bounds on Eve's information about Alice's or Bob's data. Note, that the use of the 
Csiszar and Korner formula is restricted to the classical case of independently and 
identically distributed random variables. This can only be justified if we restrict 
Eve to individual attacks, which are not necessarily optimal compared to coherent 
or collective attack. Additionally, we have to assume that Eve attacks all signals 
in precisely the same fashion, and that she measures the probes of each signal 
immediately. It is clear, that the predicted key rates from this procedure can give 
a rough feeling of what to expect from a more detailed security analysis, but it 
cannot replace it. 

The second important result in the classical three-party situation is due to Maurer 
(Maurer [1993], Maurer and Wolf [1999]). This result gives an upper bound on the 
extractable secret key rate for given P(A,B,E). It can be expressed in terms of 
the conditional mutual information I(A;B\E), which is defined as 19 

I(A; B\E) = H(A\E) + H(B\E) - H(A, B\E) . (8.3) 

18 Alternatively, one can send the error correction information unencoded; then the final key is 
shortened in privacy amplification giving the same effective secret key rate (Cachin and Maurer 
[1997], Liitkenhaus [1999]). 

19 The conditional Shannon entropy is defined as H(X\Y) = — J2xex yeYPiv) p( x \y) l°g2 P( x \y) 
with p(x\y) being a conditional probability. 
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The formal definition of the upper bound, the intrinsic information is 



I(A; B | E) = min [H(A\E) + H(B\E) - H(A, B\E)] 



(8.4) 



where we minimize over all possible mappings from the random variable E to the 
random variable E [i.e., over all possible random distributions P(A, B, E) consistent 
with P(A,B)]. The intrinsic information measures how much Bob learns about 
Alice's data by looking at his own data after Eve announced her data (or a function 
of her data). The bound is then given by 



If Bob's data depend only on Eve's announcement, but no longer on Alice's data, 
then the intrinsic information vanishes and we find that no secret key can be gen- 
erated. Note that this statement is true for all possible public discussion protocols 
Alice and Bob might come up with (Maurer and Wolf [1999]). 

By evaluating the lower and upper bounds one finds a wide gap between them. 
Actually, there are no protocols known to achieve the rate of the upper bound. The 
method of advantage distillation (see Section 7.4) taps into the gap (Maurer [1993]). 
There are cases where the lower bound is initially zero, but after the application of 
an advantage distillation step the lower bound for the new, conditional, correlations 
is positive. 

8.3. BOUNDS ON QUANTUM KEY DISTRIBUTION 

So far we have been talking about the classical scenario. There we had to assume a 
specific form of the joint probability distribution P(A, B, E). In quantum mechanics 
we can infer from the observations on Alice's and Bob's side something about the 
ways Eve might be correlated to their data, so we are in a stronger position. At 
the same time, we have some added complications: Eve is free to maintain her 
probes in a quantum mechanical state. We cannot force her to measure her probe, 
thus reducing her probe to classical data. So we cannot directly use quantum 
mechanics to consider the class of joint probability distributions P(A, B, E) that 
are compatible with the observations to apply the Csiszar-Korner result. Here we 
have to find new lines of argumentation to provide the security statements, including 
new lower bounds. However, in one point the classical statements can be directly 
applied: the result of Maurer on upper bounds on the key rates is valid for QKD. 
Any individual attack compatible with the observations and quantum mechanics 
allows us to derive a valid upper bound (Moroder et al. [2005]). We obtain this 
upper bound by choosing a measurement on the individual probes. This results 
in a classical probability distribution P(A, B, E) and subsequently we obtain an 
upper bound on the key rate in the quantum case according to inequality (8.5). 
Other bounds are given e.g. by the regularized relative entropy of entanglement 
(Horodecki et al. [2003a], Christandl and Renner [2004]). 

This idea allows us to address a question that is important for experimental 
quantum key distribution: which types of correlated data generated by a set-up of 
Phase I can lead at all to a secret key via a suitable designed protocol in Phase 
II? More specifically, given a set of signals for Alice and a choice of measurement 
devices for Bob, and given that one finds some joint probability distribution P(A, B) 



R<I{A-B[E) . 



(8.5) 
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for the signals and measurement results using some quantum channel under Eve's 
control: can we at all generate a secret key from these data? What would be an 
upper bound for the data rate we can obtain? 

As a (partial) answer it turns out that it is a necessary condition for generat- 
ing a secret key from these data that they cannot be explained as coming from 
an entanglement breaking channel (Curty et al. [2004]). Such a channel breaks 
the entanglement of an entangled input state by acting on that sub-system of a 
bi-partite state which passes through it. It has been shown by Horodecki et al. 
[2003b] , that each entanglement breaking channel can be represented by a so-called 
intercept /resend attack (see Section 2.5). In this attack Eve performs some measure- 
ment on Alice's incoming signal, transmits the measurement result over a classical 
channel and then feeds a new quantum state into Bob's measurement device which 
depends only on Eve's measurement result. If the data cannot be explained in this 
way, we say that the data contain quantum correlations. In this situation it has 
been shown that the intrinsic information does not vanish (Acfii and Gisin [2005]). 

It is easy to see that from data that can be explained as coming from an en- 
tanglement breaking channel we cannot generate a secret key. Just have a look 
at the joint probability distribution of Alice, Bob and Eve, regarding Alice's sig- 
nals and Bob's and Eve's measurement results. This class of channels assures that 
the joint probability distribution for Alice and Bob conditioned on Eve factors as 
P{A,B\E) = P{A\E)P{B\E). One can insert this into the definition of the in- 
trinsic information (using E = E) and finds quickly that the intrinsic information 
vanishes, using H(A, B\E) = H(A\E) + H(B\E). This means that the upper bound 
on the key rate vanishes and no secret key can be generated. This principle allows 
us to narrow down the parameter regimes in which QKD can be successfully per- 
formed at all for specific setups. For specific protocols, e.g choice of signals and 
measurement devices, one can convert the question whether a given set of data can 
be explained by an entanglement breaking channel into the problem of proving the 
existence of entanglement of a virtual bi-partite quantum state (Curty et al. [2004], 
Curty et al. [2005]). This can be done e.g. using the idea of entanglement witnesses 
(Horodecki et al. [1996]). 

Since general security proofs can be quite complicated, it makes sense for newly 
proposed QKD protocols to check first for which parameter regime of the channel 
the upper bound does not vanish. Note that once we verified the presence of 
quantum correlations we only satisfied a necessary condition for secure QKD, but 
we still need to provide a protocol of Phase II together with a security proof to 
achieve QKD. It is not clear whether one can always generate a secret key once we 
have quantum correlations. 

8.4. SECURITY PROOFS 

It is time to show ideas of how to construct protocols in Phase II which turn the 
observed correlated data into secret key. The key requirement in quantum key 
distribution is that at the end of such a protocol, the quantum system in Eve's 
hand should be uncorrelated with the output of the protocol: the secret key. 

There are several ideas how one can achieve this goal. Consider a quantum chan- 
nel which transmits faithfully two non-orthogonal states. One can show that in 
this case Eve cannot have interacted with the signals; more precisely, starting with 
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a general interaction with a probe and adding the constraint that the interaction 
leaves two non-orthogonal signal states invariant, one can show that the output of 
this action is a tensor product between the probe and the signal states. This guar- 
antees that the probe cannot be correlated with the signals or Bob's measurement 
results: the state of the probe is independent of these classical data of Alice and 
Bob. 

Clearly, in a realistic noisy channel, we cannot expect to be able to use this 
principle directly. However, there is an analogy in classical information transfer. As 
we learned from Shannon, one can use noisy classical channels to transmit classical 
messages perfectly. The trick is to use classical error correction codes that encode 
the original message as so called codewords. The encoded message is sent through 
the noisy channel. The effect of the noise on the codewords can be detected and 
the errors can be corrected. This mechanism works asymptotically perfect. 

Something similar can be done by using Quantum Error Correction Codes (QECC); 
Calderbank and Shor [1996], Steane [1996]. Again, the basic idea is to take the non- 
orthogonal signals states from the source, to encode them into a longer sequence 
of signals that are transmitted through the channel, and then to decode the origi- 
nal states asymptotically error-free. This can be done in principle, though in this 
form it would require Alice and Bob to perform encoding and decoding operations 
on several signals, which is beyond our present experimental capability. Based on 
this idea, and using earlier results by Mayers (Mayers [1996], Mayers [2001]), Shor 
and Preskill [2000] showed that one can adapt the basic idea of quantum error 
correction codes so that the quantum protocol becomes equivalent to the standard 
BB84 protocol in which Alice sends a random sequence of signals and Bob mea- 
sures them in a randomly selected basis. In that case, the decoding operation of 
the QECC turns into classical error correction and privacy amplification and no 
quantum manipulation capabilities are required. 

Let us have a look at this method in more detail. A QECC can correct errors 
which are introduced by the channel. The Shor and Preskill security proof is based 
on the Calderbank-Shor-Steane QECC (Calderbank and Shor [1996], Steane [1996]) 
which divides the errors into bit and phase errors. That is, without loss of general- 
ity, the channel applies to each signal qubit either an error operator, the a x or the 
a z , or it applies the identity operator. One encodes the signal qubits into quantum 
codewords, e.g. into a larger number of qubits, which are then sent over the chan- 
nel. As long as the number of qubits affected by error operators is sufficiently low, 
the action of the channel can be reverted, thanks to the additional structure that 
is provided by the codewords. The reversion of the a x corresponds to the classical 
bit error correction. The errors coming from a z will not be corrected, as we are in- 
terested only in the bit values of the original quantum signals. Instead, one chooses 
the QECC structure such that, in principle, one could have corrected the errors 
in the quantum domain. This happens by including redundancy in the signals. 
Taking out this redundancy is exactly what happens in the privacy amplification 
procedure. 

We note that one essential step is to estimate the number of phase and bit errors, 
since the security hinges on the fact that one could in principle correct these errors. 
Therefore, in fact, it is an essential task to estimate the number of errors from 
the observable data. From this estimation, we can then determine the parameters 
characterizing the classical bit error correction and privacy amplification. It is 
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important to reduce this estimation problem from the quantum level to the level 
of classical estimation theory. In the case of the BB84 protocol and the Shor- 
Preskill proof this is straightforward, due to the symmetry. For other protocols more 
advanced methods have been developed (Tamaki et al. [2003b], Koashi [2004]). 

Let us come to the next principle for security proofs. The principle exploiting 
the QECC method uses effectively only one-way communication. This idea can 
be extended to two-way communication, which turns out to tolerate higher noise 
levels in the channel. So far, we have been using the idea that it is sufficient to 
create an effective perfect channel between Alice and Bob to guarantee that Eve 
decouples from Alice and Bob. Another way to achieve this goal is to establish 
maximally entangled states between Alice and Bob. Once Alice and Bob verify this 
property, they can be assured that Eve is decoupled from their bi-partite states. 
This is what is commonly referred to as monogamy of entanglement. Clearly, once 
we have effective perfect channels via QECC, we can achieve the distribution of 
maximally entangled states. For this, Alice prepares these states locally and sends 
one subsystem of each state to Bob via the effective, perfect, channel. This method 
can be generalized in the way that Alice sends the subsystems via the noisy channel 
to Bob. The important idea is that Alice and Bob then perform entanglement 
distillation to regain a reduced number of maximally entangled states (Bennett et 
al. [1996b]). This assures that Eve is decoupled from their states. Actually, the 
use of one-way QECC is one method for this, though there are two-way protocols 
that can tolerate a higher error threshold. In practical QKD it is important to find 
those entanglement distillation protocols that can be translated again in classical 
post-processing of data. An example of this is the protocol and security proof based 
on the BB84 protocol by Gottesman and Lo [2003] and Chau [2002] . 

For quite a while it seemed that the security of QKD can be expressed always 
as an underlying entanglement purification protocol. However, recently it has been 
shown by the Horodccki family and Oppenheim (Horodecki et al. [2003a]) that one 
can go even further. They showed that one can create secret keys also from states 
that are bound entangled, that is from states that cannot be distilled to maximally 
entangled states. The important idea behind their protocols is that there are cer- 
tain global unitary operations acting on their systems only, which cannot actually 
be performed by Alice and Bob due to their spacial separation, but which would 
turn the bound entangled states into products of maximally entangled states and 
some remaining systems. Again, Eve is then decoupled from the maximally entan- 
gled system. Alice and Bob obtain their secret key by measuring the maximally 
entangled state in a predefined basis. The discussed global unitary operations now 
have the property that they leave these measurement results invariant. So the key 
data will be the same with or without applying the unitary operation. Since the 
key is secure after application of the global unitary operation of Alice and Bob, it is 
also secure without performing this operation. The security is therefore not based 
directly only on the distillability of maximally entangled states. 

8.5. SPECIFIC ATTACKS 

Before we turn to the security results for given protocols, we list a few specific 
attacks, especially those that are applicable to realistic implementations of QKD 
going beyond the simple qubit picture. 
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8.5.1. Intercept-resend attack 

We understand under the intercept-resend attack any attack where Eve performs 
a complete measurement on the signals which Alice sends out. A special version 
has been introduced already in Section 2.5. Eve then transmits the classical mea- 
surement result and prepares a new quantum state close to Bob's detection device. 
In this way, she cuts out all channel imperfections. As we have seen before, the 
resulting correlations will not allow Alice and Bob to create a secret key. The sim- 
plest example is an intercept-resend attack in the BB84 protocol: Eve performs a 
measurement of the BB84 signals in one of the signal bases and prepares a state 
which corresponds to her measurement result. For example, if she measures in the 
horizontal/vertical polarization basis and obtains a vertically polarized photon, she 
prepares such a vertical polarized photon for Bob. Actually, in the sifted key, that 
is for those signals where Alice's and Bob's polarization basis agrees, this leads to 
an error rate of 25%. This error rate is composed of an error rate of 0% whenever 
Eve used the same basis as Alice and Bob, and 50% whenever her basis differs from 
theirs. It follows, that for data with more than 25% average error rate QKD cannot 
be successfully completed. 



8.5.2. Unambiguous state discrimination attack 

Let us turn to an attack that is a special case of an intercept-resend attack. It 
applies whenever the signal states sent by Alice are linearly independent. In this 
case, Eve can measure the signals with an unambiguous state discrimination (USD) 
measurement so that with some probability she learns, without error, the exact 
signal, while in the remaining cases she is left without any information about the 
signal states (Dusck et al. [2000]). She can now selectively continue her attack. For 
example, she might forward a new signal to Bob only in those cases where she knows 
the signal for certain, while she might send no signal at all (corresponding to sending 
the vacuum state) in the remaining cases. With this strategy she is able to mimic a 
lossy channel. As a result, the data obtained by Alice and Bob show no obvious trace 
of eavesdropping whenever Bob obtains a signal. Despite this absence of visible 
disturbance of the signal degree of freedom, no secure key can be created. A typical 
protocol for which this problem arises is the variation of the B92 protocol (Bennett 
[1992b]) which uses single photons in non-orthogonal polarization states together 
with single-photon detections (see Section 3.1). This protocol becomes insecure 
once the transmissivity of the channel sinks below a threshold which depends on the 
non-orthogonality of the signal states. The threshold is defined as the transmissivity 
where the probability of success of the USD measurement equals the detection 
probability for Bob via the lossy channel. In our example, the success probability 
of the USD measurement is given as -Pygp = 1 — KvolVi)! an d Bob obtains the 
fraction rj of signals, where r] is the transmissivity of the channel. Then we find for 
the threshold of the transmissivity the expression (Tamaki et al. [2003a]) 



^thresh = 1 - |(<Po|¥?l)| 



(8.6) 
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8.5.3. Beam-splitting attack 

The beam-splitting attack is a very natural attack for any optical implementation 
of QKD. The reason is that a lossy optical transmission line is very well described 
by a model consisting of an ideal line in which a beam-splitter is inserted which 
mimics the loss of the original line. Now Eve gets hold of the signal emerging 
from the second output of the beam-splitter, while Bob obtains the transmitted 
part. In some protocols, Eve can in these cases learn a fraction of the signal 
dctcrministically (Bennett et al. [1992a], Dusek et al. [2000]). This is the case, for 
example, in implementations of the BB84 protocol with weak laser pulses instead 
of single photons. Alice prepares here weak laser pulses in the BB84 polarizations 
such that the signals contain also multi-photon pulses. The beam-splitter in Eve's 
attack gives for some of the signals some, or even all, photons of a signal pulse to 
Eve. She waits until Alice and Bob publicly communicate the polarization bases of 
the signals and measurement results. Then she measures her photons in the correct 
basis and obtains deterministically Alice's signals. If also Bob received at least one 
photon, then Eve knows deterministically also a bit of the sifted key (Inamori et 
al. [2001]). One can show that the secret key rate is therefore bounded by 



where p exp is the probability that a signal enters the sifted key, and p sp ut is the joint 
probability that Eve obtains at least one photon of the signal and that this signal 
enters the sifted key. In the case of weak laser pulses with mean photon number /x, 
we find 



Actually, this upper bound is positive for all values of the average photon number it 
and of the total transmissivity r). It is clear that this attack cannot be excluded by 
Alice and Bob by any additional test of the channel since it represents the physical 
model of the channel. 

8.5.4. Photon-number splitting attack 

In the beam-splitting attack the photons of the incoming signal states are dis- 
tributed statistically to Eve and Bob. In principle, Eve could arrange a more 
effective method (Dusek et al. [1999a], Liitkcnhaus [2000], Brassard et al. [2000]). 
We have seen that Eve learns an element of the sifted key whenever she and Bob ob- 
tain at least one photon. The beam-splitter, however, sometimes sends all photons 
of multi-photon pulses either to Eve or Bob. 

The improved eavesdropping attack, called photon-number splitting attack, starts 
with Eve performing a quantum non-demolition measurement of the total photon 
number of the signals. Whenever Eve finds a multi-photon signal, she determin- 
istically splits one photon off, sending the other photons to Bob. Additionally, 
whenever she finds a single photon, she cither blocks the signal or she performs a 
standard eavesdropping method on it and sends it on to Bob. As we see, errors in 
the polarization of the signal arises only by the eavesdropping on the single-photon 
signals. Ignoring this effect for the moment, we find again an upper bound on the 
possible secret key rate in analogy to the formula for the beam-splitting attack as 



R < Pexp - Psplit , 



(8.7) 




(8.8) 
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(Brassard et al. [2000]) 



R 5: Pcxp — Pmulti 



(8.9) 



where now p mu iti is the joint probability that Alice sent a multi-photon signal and 
the signal enters the sifted key, while p e xp is the total probability that a signal 
enters the sifted key. We can evaluate this bound for a Poissonian photon number 
distribution with average photon number fi and a single-photon transmissivity rj 
for the channel. In this case we find 



which is positive only for certain combinations of /i and rj. Generally, for given jj, 
there is a cut-off transmissivity below which no secure key rate can be generated. 
Note that for a realization of this attack it is important that Eve can suppress 
signals at will (here some single-photon signals) without paying any penalty in 
form of an error rate (see Sections 3.4 and 3.5). 

8.6. RESULTS 

So far we discussed the principles of security proofs and specific attacks. Next we 
will summarize results of complete security analysis as they are known so far. The 
results are typically given only in the limit of a large number of signals, so that all 
statistical effects of finite sequences of signals can be neglected. 

8.6.1. Bennett 92 protocol with single photons 

The Bennett protocol of 1992 (B92 protocol) uses only two non-orthogonal signal 
states. As discussed before, this protocol is prone to the USD attack. Nevertheless, 
it is possible to achieve unconditional secure key distribution over lossy channels 
by adapting the overlap of the input signal states. This protocol has been analyzed 
for lossless channels (Tamaki et al. [2003b]) and for lossy channels (Tamaki and 
Liitkcnhaus [2004]). There is no explicit closed formula for the key rate, for a 
detailed discussion see the original publications. 

8.6.2. BB84 protocol with single photons 

The security of the BB84 protocol is well studied (Mayers [1996], Mayers [2001], 
Shor and Preskill [2000] . Mayers proof did not make use of random permutations 
of the signals and resulted in a secure key rate given by 



where e is the observed error rate and h{x) is the binary entropy function given by 
h(x) = — x\og 2 x — (1 — x) log 2 (l — x). The secure rate given by Shor and Preskill 
is higher, as they include a random permutation of the signals, so that they obtain 



(8.10) 



R=l — h(e) - h{2e) 



(8.11) 



R= l-2h(e). 



(8.12) 



The cut-off error rate in this scenario is about 11%. However, we know that one can 
verify quantum correlations up to 25%. Gottesman and Lo [2003] proposed a two- 
way communication protocol in the public discussion part of the protocol (Phase 
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II) which can come closer to this upper bound. It has been improved by Chau 
[2002] to tolerate 20%. This is at present the highest known error rate threshold 
for the BB84 protocol. 

For this protocol, any loss in the channel reduces the rates only by a prefactor 
corresponding to the single-photon transmissivity. 

The key rates are given here without the prefactor 1/2 which would be expected 
since only in half of the cases the signal bases of Alice and Bob match. As Lo et al. 
[2005a] pointed out, Alice and Bob can choose the probabilities for the two signal 
bases asymmetrically. In the limit, they use basically only one basis, and test only 
a small number of signals in the other basis. Though this requires a larger sampling 
size, we can nevertheless get rid of the factor 1/2 in the rate formulas. 

8.6.3. The 6-state protocol 

The six state protocol can be analyzed in similar fashion to the BB84 protocol. 
This has been done by Lo [2001] who found the key rate 

R = 1 + (1 - f ) log 2 (l - |) + | log 2 \ • (8.13) 

Again, we made use of the idea that one can use the three bases of the protocol 
asymmetrically so that we do not have a prefactor 1/3. 

Also for this protocol there are improved two-way protocols. The best error 
threshold found so far is given by Chau [2002] as 27.6%. 

8.6.4. BB84 protocol with weak laser pulses 

For practical realizations the BB84 using weak laser pulses has special importance. 
The security of this protocol has been investigated by Inamori et al. [2001]. For 
this case we do not only have the key rate for long sequences, but also the complete 
analysis for finite key sizes. It extends the results by Mayers for the single-photon 
BB84, and therefore does not use the random permutation of signals. This random 
permutation has been introduced by Gottesman et al. [2004], so that the final key 
rate in the long key limit is given by 

R = (1 - A) - h(e) - (1 - A) h (j~!rz) < ( 8 - 14 ) 

where A is the fraction of signals received by Bob which might have leaked all its 
signal information to Eve via a multi-photon process. This fraction is given via 
the multi-photon probability of the source, p m uiti, and the total signal detection 
probability for Bob, p cxp , as 

A - (8.15) 

Pcxp 

This result holds against the most general attack of Eve, the coherent attack where 
Eve may delay her measurements. Moreover, it allows to give reasonable secret 
key rates already in the paranoid picture where all of Bob's detection imperfections 
(dark counts, detection efficiency) are ascribed to Eve. 

Clearly one can optimize the parameters of the experimental set-up. By variation 
of the mean photon number [i of the signals we find that one should choose approx- 
imately \x w 7] so that the key rate scales as R ~ ij 2 ; 77 is the total transmissivity. 
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8.6.5. BB84 with weak laser pulses and decoy states 

The BB84 protocol with weak laser pulses gives a rate of R <~ rf which is mainly 
given by the photon-number splitting attack. One possibility to avoid this attack 
is to use the so-called decoy-states (Hwang [2003] , Lo et al. [2005b] , Wang [2004a] , 
Wang [2004b]). Here Alice tests the channel not only with signals having one aver- 
age mean photon number. Instead, she randomly varies the mean photon number; 
this she might do with two, three, or many intensity settings. The idea is that 
Eve can now no longer complete the full PNS attack. Of course, she can still split 
one photon from each multi-photon pulse, but she can no longer block the correct 
number of single-photon signals for each subset of signals with the same average 
photon number. Effectively, this forces Eve back to use the beam-splitting attack 
only. 

This basic idea is supported by the full security analysis (Lo et al. [2005b] ) , and 
one finds that the final key rate scales as R <~ rj, which is a clear improvement of 
the performance of these schemes. Indeed now distances of more than 100 km are 
possible without giving up a conservative, paranoid security notion. 

8.6.6. B92 with a strong phase reference pulses 

Another approach to improve the rate of QKD protocols is the use of coherent 
states with phase reference. The idea here is, again, to make it impossible for Eve 
to suppress signals without paying a penalty. The ability to do just that is what 
makes the USD attack and the PNS attack so powerful. This scheme has been 
analyzed by Koashi [2004], who confirmed that in this case the secure key rate 
scales again as R <~ rj. 

8.7. SIDE CHANNELS AND OTHER IMPERFECTIONS 

So far we discussed the security assuming that the signals are prepared exactly 
as described in the protocol. However, in physical realizations there might be 
many imperfections. For example, the preparation of different signal polarizations 
might also affect other degrees of freedom of the signals, for example the timing 
or the spectrum of the signals. Therefore, by monitoring other than the intended 
degrees of freedom Eve might obtain information about the signal which is not 
captured in the typical security analysis. This situation applies also to classical 
cryptography where measurable quantities such as power consumption might help 
to break classical ciphers. 

Other imperfections come into play. Consider the detection process: typically, we 
assume that the choices of signals happen at random. What if Eve can have some 
information about the basis or signal choice beforehand, if the detectors show some 
dependence of the chosen signal basis, or if Eve could manipulate the detectors to 
some degree? One example is Eve's strategy to apply a simple intercept-resend 
attack mimicking Bob's measurement strategy. Then Eve forwards not only a 
single photon, but a strong light pulse in the polarization that corresponds to the 
measurement result. If Bob's and Eve's measurement bases agree, Bob just recovers 
the signal without error. When the bases disagree, with almost certainty Bob will 
find that both of his single-photon detectors will fire. If Bob discards these events, 
this would open a loophole for Eve to manipulate Bob. For this reason, Bob has 
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to keep those events, effectively increasing the error rate since he has to assign a 
random outcome. 

Further, the setting of Bob's measurement basis could be betrayed by detector 
backflashes (see Section 5.2.1). Eve could also try to flash to Alice's device and 
hope to get her setting by measuring the reflected light. All similar possibilities 
must be carefully considered and eliminated. 

These questions are currently under investigation. One finds often the term 
'Trojan horse attack', as coined by Lo [2001], for any attack which exploits the 
circumstance that Alice's and Bob's devices do operate not only on the degree of 
freedom as specified in the ideal protocol. It turns out, that many imperfections, 
once one has a quantitative bound on them, can be dealt with (Gottesman et al. 
[2004]). As long as they are small, the influence on the resulting key rates are small. 

§ 9. Prospects 

It is apparent that quantum cryptography is now ready to offer efficient and user- 
friendly systems providing an unprecedented level of security. While classical meth- 
ods are still safe enough for short-lifetime encryption, quantum cryptography may 
prove valuable when thinking with longer prospects. The progress in the develop- 
ment of quantum computers can play a significant role in speeding up the increase 
of the need for QKD in the IT market. Quantum key distribution can also be well 
combined with existing infrastructure. Even QKD with very low bit rate (hundreds 
of bits per second) can significantly improve security of contemporary cryptosys- 
tems. It enables, e.g., to change the secret key for symmetric ciphers like AES 
several times per second. 

The widespread use of QKD is now restrained mainly due to the limited opera- 
tional range (up to about 100 km). There are three main technological challenges 
that can help to improve this situation: Substantial reduction of noise of detectors 
working at wavelengths suitable for fiber communications (1550 nm), the devel- 
opment of ultra-low-attenuation fibers (based, e.g., on photonic crystals), or the 
development of quantum repeaters. 

Challenging opportunity for future global secure networks is a long distance quan- 
tum communication between Earth and satellite or between two satellites or satel- 
lite and plane (Aspelmeyer et al. [2003] ) . The disturbing influence of atmosphere 
constraints terrestrial free-space quantum cryptography to short-range communica- 
tions. On the other hand in the outer space and higher levels of atmosphere (above 
10 km) only losses due to beam geometry are important. 
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